Original article Jaromir Horejsi, Joseph C Chen
We investigated a number of websites with cracks and pirated software that start an infection chain to multiple pieces of malware and adware, including CopperStealer and LNKR adware. The malicious samples are usually distributed via pay-per-install (PPI) networks. Our analysis showed that the samples of CopperStealer that we found are capable of scanning infected systems for specific browser credentials and cookies. They also terminate the entire routine if the systems’ settings are in Chinese, run in the sandbox, or are analyzed in a debugger. In addition, they are also capable of installing malicious browser extensions and stealing stored Facebook and Google credentials for malicious advertising.
Figure 1. Infection vector
These infections — the use of which is a common technique among cybercriminals — were unknowingly initiated by the victims when they visited warez (also known as crackz, toolz, appz, and gamez) websites, which often redirect users to another site with malware distribution. Some of these websites contain links to the requested files, but usually they use a very small font. As a result, these are often overlooked by website visitors. Additionally, there are misleading “Download” buttons or other similar prompts for action. Upon selecting any of these buttons, a user unknowingly starts a redirection chain that leads to the download of malware.
From a cybercriminal’s perspective, the distribution of pirated software and cracks is a viable way of spreading malicious software. The stealer presents interesting capabilities, considering the main goal of acquiring various cookies and taking control of advertisement accounts. This grants the threat actor the ability to spread advertisements that bring their malware and adware to more potential victims. It also promotes cybercriminals’ other “products” from which they can also profit. Of course, stolen cookies from browsers give them sensitive personal information that they can further monetize illegally, especially in the underground.
Heavy use of browser plug-ins allows threat actors to inject ads and modify websites behaviors. As they replace legitimate advertiser IDs with theirs, the returns for clicks, ad views, searches, and downloads redirect the supposed profits of the legitimate parties, thereby resulting to bigger losses for them. This also adds another channel of monetization to this campaign. As of writing, we are unsure if the PPI websites and networks are aware of these cybercriminal campaigns involving their sites.
- Here are some best practices to prevent these kinds of threats:
Avoid searching for or downloading applications and pirated software using dubious third-party websites. Look for legitimate tools and programs from official app stores, especially those stores with a lot of user-created reviews.
- If possible, avoid storing sensitive information such as banking or access credentials in browsers or platforms for auto-filling forms. Whenever possible, regularly delete the browser cache of machines that you often use.
Some of the findings here were similarly previously published.
Trend Micro solutions
Users can protect their systems from these kinds of threats with a multilayered protection system to block and detect known and unknown threats. Since dubious websites and fraudsters attempt to deceive users by making seemingly harmless, genuine-looking apps, mitigate risks by choosing to download applications and software from official websites and legitimate marketplaces.