SophosLabs Uncut

During our recent investigation into an ongoing Raccoon Stealer (an information stealing malware) campaign, we found that the malware was being distributed by a network of websites acting as a “dropper as a service,” serving up a variety of other malware packages—often bundling multiple unrelated malware together in a single dropper. These malware included an assortment of clickfraud bots, other information stealers, and even ransomware.

While the Raccoon Stealer campaign we tracked on these sites took place between January and April, 2021, we continue to see malware and other malicious content distributed through the same network of sites. Multiple front-end websites targeting individuals seeking “cracked” versions of popular consumer and enterprise software packages link into a network of domains used to redirect the victim to the payload designed for their platform.

We discovered multiple networks using the same basic tactics in our research. All of these networks use search engine optimization to put a “bait” webpage on the first page of results for search engine queries seeking “crack” versions of a variety of software products.

As we researched the Raccoon Stealer campaign, we discovered multiple other cases where some of these sites had been tied to other malware campaigns. We found a variety of information stealers, clickfraud bots, and other malware delivered through the sites, including Conti and STOP ransomware. So we began to investigate the networks behind the sites themselves.

Come download me, bro

Most of the bait pages we found are hosted on WordPress blog platforms. Download buttons on these pages link to another host, passing a set of parameters that includes the package name and affiliate identifier codes to an application that then redirects the browser session to yet another intermediary site, before finally arriving at a destination.

Some clicks on bait pages are directed to a download site that hosts a packaged archive containing malware. Others are steered to browser plugins or applications that fall in a potentially unwanted grey area.

Visitors who arrive on these sites are prompted to allow notifications; If they allow this to happen, the websites repeatedly issue false malware alerts. If the users click the alerts, they’re directed through a series of websites until they arrive at a destination that’s determined by the visitor’s operating system, browser type, and geographic location.

The downloads contained a variety of potentially unwanted applications and malware. We downloaded installers for Stop ransomware, the Glupteba backdoor, and a variety of malicious cryptocurrency miners (in addition to Raccoon Stealer)

In a bit of irony, many of these malware were delivered by downloads purporting to be installers for antivirus products, including 15 we examined that claimed to be licensing-bypassed versions of the Sophos-owned HitmanPro.

Because the dynamic delivery network acts as an intermediary between the bait sites and the download sites, the same faked “cracked” product download page can deliver multiple malicious campaigns at the same time, and switch from one deliverable download to another when the malware actor “customer” has burned through their paid deliveries.

These networks work in a fashion similar to those behind the “fake alert” scams we researched last year. All of these activities are the product of an underground marketplace for paid download services, advertised on web boards frequented by would-be cybercriminals. A few hundred US dollars worth of cryptocurrency can buy a malware actor hundreds or thousands of downloads—though the price goes up if there’s a specific geographic targeting desired.

(As a rule, these services do not target network addresses in Commonwealth of Independent States countries.)

Special delivery

“Traffic exchanges” are an old standby of malware campaigns. Often mocked on underground boards as old-fashioned, these marketplaces for “software installs” are still part of the toolkit for a variety of malware actors and other cybercriminals, particularly for entry-level criminals with very few skills who want to spread malware.

Many of these services advertise on the same boards where they are mocked. Criminal affiliates can set up accounts quickly, but most require a deposit paid in Bitcoin before they can begin distributing installers. InstallBest (on installs[.]info, shown below), is hosted in Russia. The site provides very direct instructions on how to get started, in Russian and English:

The site also offers some advice on “best practices,” recommending against using Cloudflare-based hosts for downloaders, as well as using URLs within Discord’s CDN , Bitbucket, or other cloud services. As evidenced by our discovery of some of these installers on Discord, affiliates don’t always heed this advice.

Once the affiliate deposits Bitcoin, they can set up campaigns using a simple web form.
The form allows for the selection of specific geographic distribution areas, charging more for targets in the United States, Canada, and Australia.

For two dollars a drop, you can buy 1,000 downloads through this service’s distribution chain.

Another Russian-based site, shop1[.]host, promoted on underground web boards, is apparently pivoting as it claims to be putting its payment system into maintenance for “a month or two.”

Malware middlemen

Some of these services provide their own delivery networks. Others simply act as go-betweens to established traffic suppliers, including malvertising networks that pay blog publishers for traffic.

One of these, tied to several of the malware campaigns we found hosted on the “cracked” software blogs, was powered in part by InstallUSD, an advertising network based in Pakistan which promises a payment of up to $5 US for every software install delivered.

The homepage of InstallUSD, which brags about the network’s ability to reroute ads if they fail to pass Chrome’s safe browsing tests.

InstallUSD’s site allowed site owners to register to publish download links, but required them to complete registration through Skype chat with a “publishers manager,” referred to as Jamashad. We attempted to contact InstallUSD about their program, but received no response.

Further investigation of InstallUSD uncovered a Facebook page for the group. A phone number provided on the organization’s Facebook page is also connected to a Facebook page for WorkingKeys[.]org, a website that purports to host cracked software downloads. In fact, that site also is connected to InstallUSD through the links that lead to the malware.

The WorkingKeys website’s domain name servers (ns1.installusd.online and ns2.installusd.online) also act as domain name servers for about 150 other domains with names related to cracked software. Some of them are inactive, and some have no outbound links to downloads, but several of them are serving up malware.

As we investigated the other malicious websites tied to droppers-as-a-service, we found many of them were connected to InstallUSD’s malvertising infrastructure.

Following the downloads

During our Raccoon Stealer investigation, we found a campaign that deployed the information stealing malware via a number of .zip archives. The hosting for these files was traced back to several websites purporting to distribute “cracked” versions of software packages, offering downloads of installers with license-bypassing schemes.

These “cracked” bait sites have continued to serve up new malware campaigns well after the original Raccoon Stealer campaign ended. Leveraging search engine optimization techniques, they have jockeyed for position at the top of search engine results for cracked versions of a wide range of software products, but especially information security products and more expensive business software tools.

We appended “crack” to the names of several well-known commercial software products, and consistently found 15 sites on the first two pages of results. These sites fell into three distinct groups, based on how they delivered victims to malware, but they all followed the same general approach, and all used the same payload wrapping scheme for their downloaders—leading us to believe that they were connected to a common dropper-as-service.

Method 1: InstallUSD affiliate system

A group of eight of our initial group of 15 “bait” blogs connected to infrastructure we tied to the InstallUSD install-as-a-service network. These sites had download buttons driven by a remote JavaScript that redirected visitors through a series of sites, including trackers that checked campaign-related information and generated redirects based on verification of the inbound link and assessment of the operating system and browser information from the User-Agent headers sent with each request. The tracker sites, and many of the bait blogs, were behind Cloudflare’s CDN, and almost all were registered through Namecheap.

If a user tried to download the files using a mobile, MacOS, or Linux browser, or if they had browser security plugins installed, the redirects would lead to a different monetizing destination:

  • A fake alert for mobile devices promoting the installation of a VPN or security app
  • A page insisting the user install a browser plug-in to view content
  • “Captcha” pages that required allowing notifications be enabled, which led to fake malware alert notifications spamming to the target system
  • Redirects through other affiliate programs for paid traffic, including bogus Yahoo news pages, adult web games, and “dating” sites
An alternative destination attempts to get the victim to install a browser extension to get to the download they’ll never see.

For those who clicked and passed the User-Agent screening, the redirects would eventually lead to a download page on another server. Completing the download resulted in the delivery of a malware payload.

How InstallUSD delivers malware droppers as a service.

The JavaScript that controlled the behavior of the download button on these eight sites came from a number of different source servers, but they all had the same basic signature. First, they opened a new browser tab using forwarding links passed through referral proxies—sites intended to create “anonymous” links (that scrubbed the forward of any referrer reference to the originating site). In early investigations, this refer proxy was nullrefer[.]com; By late July and August, the scripts providing the forwarding changed to the proxy href[.]li (a service operated by WordPress’ parent company, Automattic).

The destination site embedded in the request to the referral proxies were concealed in HTTPS, which concealed the actual destination from inspection by browser security tools. Also embedded in the destination URL were base64-encoded text that pointed to a common command and control server.

The cross-site scripts loaded for the download buttons on these sites were fairly uniform. They were all generated dynamically based on data passed as part of the URL source for the script. For example this script call for a link to an copy of (ostensibly) Avast’s antivirus product:

hxxps://undesirablez[.]xyz/index.php?id=127&user=576&hash=5c20216270730bf35431cb722fef6a67&q=Avast Premier 21.6.2474%20 Crack + License Key [Latest Release]

Yielded this script:

The URIs generated for these scripts followed these patterns:

  • https://nullrefer[.]com/?https://[first stage tracker server hostname]/index.php?lander=[base64 encoded URI]&pageDisplay=0
  • https://href.li/?https://[first stage tracker server hostname]?arch=[base64 encoded URL]&pageDisplay=0

Each retrieval of the script resulted in a new tracker server hostname as part of the URL, so no two click-throughs followed the same redirection path. However, at least some of these hostnames resolved to the same endpoint, as we discovered when testing some of the domains.

The button scripts opened these links in a new browser tab or window. The referrer proxy then redirected the page to the first stage tracker server. Decoding the Base64 text in the request they were forwarded revealed how all these trackers were tied together—in both formats, the text contained a URI pointing to a subdomain of InstallUSD[.]com, in this format:

hxxps://landing2.installusd[.]com/display/index.php?page=querycpc/items/&aduid=[unique identifier]&button=1&displaytype=0&pid=[identifying integer]&time=[Unix timestamp of request]&hash=[md5 hash of file]&q=[the name the archive was advertised under]

So, for example, a click on a button alleged to connect to a “cracked” copy of HitmanPro, made at 18:08:55 GMT on August 4, 2021 transmitted this Base64-encoded tracker link:

After being forwarded by the proxy, the script running on the intermediary advertising tracker site would process the URL. The Base64-encoded URL on landing2.installusd[.]com resolved to a JSON document providing confirmation of the referrer name and the payload expected, in this format:

{“result”:”success”,”trackUrl”:”https://href.li/?https://[second tracker server hostname/{pubid}/[advertised name of download]/{hash_code}&[lowercase and no punctuation name of download file]“,”adID”:”[an identifying number for the campaign]“,”triggerTime”:0}

So, for example, a JSON response for a click on a fake Nitro Pro download we followed yielded this JSON from landing2.installusd[.]com:

Using this JSON, the tracker server builds the link to the second stage tracker server, and redirects the victim’s browser to that URL (again using href.li as a proxy), in the format:

hxxps://[hostname]/[the ID of the originating site]/[name of fake product]/[hash code generated from the lowercase, unpunctuated filename]

The second stage tracker would then process the name and hash, and redirect the browser to a download server. These servers, redirected to IP addresses, were largely short-lived Amazon EC2 instances.

We disrupted this delivery pipeline when we reported the landing2.installusd[.]com host to Cloudflare, and they put an interstitial page up blocking requests. But that was not the end of malware delivery for those sites. Two days later, some of the sites we tracked started using a slightly modified version of the same tracker architecture, using a new “lander” host and the same source hosts for the downloader button scripts. Additionally, the new lander host rejected requests from outside the network for the JSON object, to complicate analysis.

Download Plan B

Some of the disrupted sites did not shift to the new infrastructure. Instead, using the same scripting hosts they had originally pointed to, they received JavaScript that launched an abbreviated version of the original redirect system, linking to a tracker server that redirected directly to the download server for the payload. Some did not use the href.li redirector.

The redirect scheme used to replace InstallUSD’s scheme once it was disrupted.

The URL for retrieving the button script contains three variables: “s” (an integer identifying the source of the link), “q”(the name of the download), and “g” (another integer unique to the source “blog”). These values are reflected in the returned script as variables:

The entry point of the JavaScript for “download” buttons on sites using the shorter version of the redirect network.

A function named “getThere” opens a new browser window with a URL pointing at the tracker server. The URL follows this format:

hxxps://[tracker host name]/?s=[the integer passed as the “s” variable]&q=[the name of the fake cracked software product]&dedica=[the integer passed as the “g” variable]&hmac=[a base64-encoded block of text]

The “getThere” function.

The base64-encoded text, which when decoded, is revealed to be data set of hash values.

A smaller number of sites had this style link embedded in the page code, either in a JavaScript function connected to the button or as a raw link. However, the sites that had a raw link associated with the button had HTML artifacts that suggested the link may have been rendered by a back-end PHP plug-in—concealing the connection to the C2 providing the scripts behind the server.

The new tracker site itself did not appear to inspect the browser User-Agent; we reached the intended payload for Windows from a variety of browser agent types. However, some of the download servers did their own check, and a click on the download button from a non-Windows agent yielded a redirect to another monetizing link, such as a fake alert or “naughty dating” site. These sites were localized by the IP range the browser was visiting from as well.

Another set of servers implemented a different set of JavaScript.

The downloads, please

Regardless of how they got to the downloads, all of these delivery methods dropped packages with the same basic characteristics. The download was a .zip archive file named after the alleged “cracked” product sought by the target. Inside, all the archives each contained an additional .zip archive and a file with “password” in its name.

The contents of a dropper archive from the download sites.

These text files contained numeric passwords for the archives, and in some cases ASCII art.

password file 1 While the payload packages all use the same structure, their contents varied over time, and by site. Over the course of our investigation, we observed multiple types of droppers deployed using this scheme.

Because the malicious payloads are in password-protected archives–and in formats that cannot be opened natively by Windows Explorer–they cannot be scanned by endpoint security tools during download (though they may be blocked by reputation by browsers, or browser plugins).

The droppers investigated during the Raccoon Stealer campaign often carried multiple payloads.They included a modified version of a legitimate Windows installer package (gdiview.msi). The contents appear to be a version of NirSoft’s GDIview freeware system utility, compiled in 2016.

The .MSI installer screen launched by the dropper.

GDIviewer Properties

The properties tab for the GDIview executable packed in the dropper show its compile date: December 4, 2016.

readme-gdiview
The readme file of the packed installer.

The installer package drops this legitimate (but old) version of GDIview, along with what appears to be an unsigned executable named Icon.controlPanelIcon.exe. It’s actually a desktop icon file, and when it gets loaded in the context of GDIview, it causes an error:All of this is a diversion intended to make the user believe the install of the “cracked” application they thought they downloaded had failed. Meanwhile, the real second-stage installer is calling home to retrieve yet another payload.

A capture of web requests from from the dropper show an argument suggesting that this was a paid install — with seller, price, and other metadata. The dropper here was itself sold as a service, and was then distributed via a download-as-a-service network.

The first call home to the dropper’s own command and control server.

In our sample, this phone-home was followed by the retrieval of a third-stage dropper executable from another domain (dream[.]pics).

The strings in the real second-stage dropper includes a number of anti-analysis checks, looking for virtual machine artifacts, tools used for web traffic analysis, and other sandboxing tools:

There is an embedded certificate in the binary. It is a decoy file, used for detecting already infected systems.

The third-stage binary deploys a malicious browser extension. It also steals Facebook cookies to obtain account details (including linked Instagram accounts and saved credit card data), grabs saved passwords from browsers on the affected machine, and installs a malicious DLL the purpose of which is to forge clicks on the “like” and “subscribe” buttons of specific YouTube channels.

Droppers reloaded

In our follow-up research, we found several different distinct droppers being used, most of them clearly operating as droppers as a service. Among them was one much like Raccoon Stealer, in that it was both an information stealer and a dropper-as-a-service.

The dropper is a 1.5 megabyte executable, named setup_x86_x64_install.exe in every download package we found. And we found a lot of them, in part thanks to a misconfiguration of the download server that allowed us access to all the .zip archives staged on it.

We managed to retrieve 286 .zip archives from this server, all containing the same dropper. But the dropper samples we analyzed, while virtually identical in size and basic behavior, each had varying configurations, with different C2 domains and payloads. Some of the droppers stored in these archives triggered ransomware alerts from Windows Defender on our baseline target machine–specifically for Conti. But the primary payload of this malware dropper appears to be the CryptBot information stealer.

Every version we found of setup_x86_x64_install.exe in these archives were 32-bit Windows executable files. Each has its own alphabet-salad name and version information:

The version.txt info embedded in the dropper.

The first-stage dropper’s payload is a set of set of files packed in a .cab archive named CABINET. In most of the samples we studied, these files were labeled as PowerPoint (.pptx) files. Others had extensions that associate them with graphics files, Word template files, and other (normally) benign filetypes. But they were not any of these. Instead, these files were a set of scripts and executables disguised to evade detection by antimalware tools. The dropper launches one of them with cmd.exe, essentially using it as a batch script to create the second-stage malware.

One contained shell commands to extract another second-stage executable:

These domains went dark shortly after we began evaluating the droppers. But they aren’t the only source of malware delivered by these groups.

This batch file does the following:

It performs a bit of anti-analysis by checking to see if the target has a system name that includes “DESKTOP-“. If it does, it uses the ping command as a timer to delay execution long enough to cause some sandbox environments and analysis tools to time out.

It then uses the Windows findstr command to extract text from another dropped file that is definitely not a PowerPoint document (Vecchie.pptx in this sample) using a regular expression to match a block of code, and writes that to an executable file (in this sample, Trarre.exe.com)–an AutoIT script.

Next, it copies a third file (Fra.pptx) to a file with a single letter name (H here). That file contains an obfuscated script and then passes that as a runtime parameter to the just-extracted AutoIT script. A fourth dropped file is read and deleted. Then the batch script runs ping again for 30 seconds as a timer before the AutoIT script executes itself again.

This time, the script searches for environmental settings indicating the presence of antivirus protection, and looks for the location of browser cookies and cryptocurrency wallet files. It then tries to download a second executable from a C2 server domain. Each dropper appeared to have a different C2 server, but all were all hosts with .top top-level domains, registered through NiceNic.net.

The organization tied to the domains’ registrations was “Boris Godunov,” which appears to have been a play on the name of the Soviet villain Boris Badunov from the 1960s-era Rocky and Bullwinkle Show. At least this threat actor has a sense of humor and a taste for eclectic pop culture.

Domain registration for one of the many .top domains used by the dropper.

The third stage also gathers up all system information, passwords and cookies from browsers, and other data (with strings such as cryptocurrency, Electrum, wallets, and default_wallet included in a search for cryptocurrency wallets and credentials). All this data is packed into a .zip archive for upload, along with a screen shot of the victim’s system:

The .zip archive, stored in the victim’s Temp file directory.
The _information.txt file contains data about installed applications in addition to basic system information.
The password file format, containing credentials scraped from browsers.

The malware-industrial complex

As we noted in our Raccoon Stealer research, malware-as-a-service platforms make it relatively inexpensive for would-be cybercriminals with limited skills to get started. The business model of these services based largely on the market for stolen credentials and cryptocurrency fraud. The same is true of CryptBot and the other malware we saw in our continued research; they largely focused on credential theft and cryptocurrency fraud, with additional fraud thrown in as a bonus.

Dropper packages and the malware delivery platforms that deliver them, such as the website networks we’ve investigated here, have been around for a long time, but they continue to thrive because of the same sort of market dynamics as those that make stealers as a service so profitable. They cover every other aspect of getting any malware—whether it is malware-as-a-service, off-the-shelf malware, or crafted by its operator—onto a victim’s machine, with little technical skill required from the “customer.”

The sort of “watering hole” attack we saw here uses carefully cultivated search engine optimization to draw in a specific kind of victim: computer users seeking pirated software. While there are sites that actually deliver key generators and “cracked” versions of software products, these sites have been intentionally crafted, along with the redirect networks they connect to, to cater to a particular subset of people (with the right operating system and level of browser protection) with download sites laden with malware, and to make cash off of all other visitors by redirecting them to other paying customers. These networks are also resilient, using disposable domains and short-term downloader hosting for much of their infrastructure.

The demand for cloud service, business email, and social media credentials sold in bulk is the primary reason why otherwise low-value targets such as victims searching for cracked software products is economically viable, and why entry-level and unskilled cybercriminals continue to purchase malware, dropper, and downloader as a service offerings.

While in the past this may not have posed a large threat to enterprises, the blend of increased work from home and increased business use of personal or shared devices makes these malware campaigns an increased threat to businesses. And the use of business products as bait for these campaigns appears to target smaller businesses seeking to cut some corners on software expenses.

Almost all of these malware droppers are easily detectable, and all of them were detected either by signature or behavior by Sophos products. But because these packages are in encrypted archives, they do not get detected until they are unpacked.

Indicators of compromise relating to this research have been posted to the SophosLabs Github.

SophosLabs would like to thank Anand Ajjan and Andrew Brandt for their contributions to this report.

Leave a Reply

Your email address will not be published.