blog.avast.com
Open in
urlscan Pro
199.60.103.228
Public Scan
URL:
https://blog.avast.com/fakecrack-campaign
Submission Tags: @nominet_threat_intel rnt-timestamp reference_article_link confidence_low cluster_60116798 Search All
Submission: On October 05 via api from GB — Scanned from GB
Submission Tags: @nominet_threat_intel rnt-timestamp reference_article_link confidence_low cluster_60116798 Search All
Submission: On October 05 via api from GB — Scanned from GB
Form analysis 0 forms found in the DOM
Text Content
WE VALUE YOUR PRIVACY
By clicking "OK" you allow cookies that improve your experience on our site,
help us analyze site performance and usage, and enable us to show relevant
marketing content. You can manage cookie settings below. See Cookies Policy
Reject All OK
Manage...
PRIVACY PREFERENCE CENTER
By clicking "Accept all" you allow cookies that improve your experience on our
site, help us analyze site performance and usage, and enable us to show relevant
marketing content. You can manage cookie settings below. By clicking “Confirm
selection” you agree with the current settings. See
Cookies policy
Accept allReject All
MANAGE CONSENT SETTINGS
NECESSARY COOKIES
Always Active
Necessary cookies help make a website usable by enabling basic functions like
page navigation and access to secure areas of the website. The website cannot
function properly without these cookies.
PREFERENCE COOKIES
Preference cookies
Preference cookies enable a website to remember information that changes the way
the website behaves or looks, such as your preferred language or the region that
you are in. De-selecting these cookies may result in improper functionality and
setting of the website.
PERFORMANCE COOKIES
Performance cookies
Performance cookies help us improve our website by analyzing how visitors use it
and interact with it. De-selecting these cookies may result in poorly-designed
content and slow site performance.
MARKETING COOKIES
Marketing cookies
Marketing cookies are used to track visitors across websites. The intention is
to display ads that are relevant and engaging for the individual user and
thereby more valuable for publishers and third party advertisers. De-selecting
these cookies may result in seeing advertising that is not as relevant to you.
* TARGETING COOKIES
Switch Label label
These cookies may be set through our site by our advertising partners. They
may be used by those companies to build a profile of your interests and show
you relevant adverts on other sites. They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.
* SOCIAL MEDIA COOKIES
Switch Label label
These cookies are set by a range of social media services that we have added
to the site to enable you to share our content with your friends and
networks. They are capable of tracking your browser across other sites and
building up a profile of your interests. This may impact the content and
messages you see on other websites you visit. If you do not allow these
cookies you may not be able to use or see these sharing tools.
Back Button
PERFORMANCE COOKIES
Search Icon
Filter Icon
Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label
Confirm selection
75678960390
Threat research
Pavel Novak
8-06-2022
Skip to main content >Close
* For home For home Products for PC and mobile phone protection
* For business For business Protect your business with Avast
* For partners For partners Partner with Avast and boost your business
* About us About us Careers, investors, media, contact
* Blogs Academy, Blog, Decoded, Forum
* Worldwide (English)
For home
* Security
*
Free Antivirus Basic protection for all your devices
Free Antivirus Basic protection for all your devices
Free Antivirus Basic protection for all your devices
Free Antivirus Basic protection for all your devices
*
Premium Security Complete protection against all internet threats
*
Ultimate Our best security, privacy, and performance apps in one package
Looking for a product for your device? Free Antivirus for PC,
Free Security for Android, Free Security for Mac,
Free Security for iPhone/iPad
Looking for a product for your device? Free Antivirus for PC
Free Security for Mac Free Security for Android Free Security for iPhone/iPad
* Privacy
*
SecureLine VPN Encrypt your connection to stay safe on public networks
*
AntiTrack Disguise your digital fingerprint to avoid personalized ads
*
Secure Browser Enjoy safer browsing that’s up to 4x faster
*
BreachGuard Protect your personal info from being exposed and sold
* Performance
*
Cleanup Premium Boost your computer’s speed and performance
Cleanup Premium Boost your computer’s speed and performance
Cleanup Premium Boost your computer’s speed and performance
Cleanup Premium Boost your computer’s speed and performance
*
Driver Updater Automatically update drivers with a single click
*
Battery Saver Maximize your battery life
*
Store
*
Home
*
Support
*
Store
*
Account
For business
* Solutions
*
Endpoint Protection
Small Businesses
11-100
Safeguard your data, devices, and apps with Next-Gen Antivirus, Patch
Management, and Cloud Backup.
*
All-In-One Protection
Medium and Large Businesses
101-1000+
Endpoint Protection Backup and Recovery Endpoint Optimization Cloud
Network Security Business Hub Security Platform
*
Advanced All-In-One Protection
Channel Partners
MSPs, Resellers, Distributors
Endpoint Protection Cloud Network Security CloudCare Security Platform
Not sure which solution is right for your business? Help me choose
* Business partners
* Become a partner
* MSP partners
* Reseller partners
* Distributor partners
* Affiliates
* Partner locator
* Resources
* Trials
*
Store
*
Home
*
Contact sales
*
Support
*
Store
*
Account
* Business Hub
* CloudCare
* Reseller portal
For partners
* Smart Life
* Mobile Security
* VPN
* Threat Intelligence
* Knowledge Center
About us
* About Avast
* Careers
* Privacy
* * Privacy
* Expert guides
* Privacy blogs
* Blog
* * Avast News
* Business Security
* Covid-19 Scams
* Diversity & Inclusion
* Elders
* Privacy
* Sandwich Generation
* Security News
* Threat Research
* Tips & Advice
* Press center
* * Press releases
* Events
* In the news
* Media materials
* PR contacts
* Investors
* Our story
* At a glance
* Strategy
* Technology expertise
* Leadership
* History
* Investors
* Overview
* Growth & competitive advantage
* IPO information
* Regulatory news
* Share price & tools
* Corporate governance
* Investor contacts
* Financial calendar
* Results, reports & presentations
* Analyst consensus
* Shareholder information
* Contact us
* Awards
* Diversity & Inclusion
* * Diversity & Inclusion
* Accessibility
* Contact us
* Blogs
* Avast Blog Read about recent news from the security world
* Avast Academy Expert tips and guides about digital security and privacy
* Avast Decoded In-depth technical articles regarding security threats
* Avast Forum Discuss with the community
LIST OF AVAILABLE REGIONS
MAIN REGIONS
* Worldwide (English)
* Europe (English)
* América Latina (español)
AMERICAS
* Argentina
* Brasil
* Canada (English)
* Canada (français)
* Chile
* Colombia
* EE.UU. (español)
* México
* USA (English)
* América Latina (español)
EUROPE, MIDDLE EAST & AFRICA
* België (Nederlands)
* Belgique (français)
* Česká republika
* Danmark
* Deutschland
* España
* France
* Italia
* Magyarország
* Nederland
* Norge
* Polska
* Portugal
* Schweiz (Deutsch)
* Slovensko (česky)
* South Africa
* Suisse (français)
* Suomi
* Sverige
* Türkiye
* United Arab Emirates
* United Kingdom
* Ελλάδα
* ישראל
* Казахстан
* România
* Россия
* Україна (українська)
* Украина (русский)
* المملكة العربية السعودية
* الدول العربية
* Europe (English)
ASIA & PACIFIC
* Australia
* India
* इंडिया (हिंदी)
* Indonesia (English)
* Indonesia (Bahasa Indonesia)
* Malaysia (English)
* Malaysia (Bahasa Melayu)
* New Zealand
* Philippines (English)
* Pilipinas (Filipino)
* Singapore
* Việt Nam
* 日本語
* 대한민국
* 简体中文
* 繁體中文
* ประเทศไทย
* Worldwide (English)
Close
Sections
* All
* business security
* Avast News
* Security News
* Tips & Advice
* Viewpoints
* Privacy
* Threat Research
* Diversity & Inclusion
* Diversity & Inclusion
* Blog Authors
* Visit Avast website
* Change language
* English
* Deutsch
* Čeština
* Español
* Français
* Polski
* Português
* Русский
* 日本語
Avast Blog Threat research Crypto stealing campaign spread via fake cracked
software
CRYPTO STEALING CAMPAIGN SPREAD VIA FAKE CRACKED SOFTWARE
Pavel Novak 8 Jun 2022
Users who download cracked software risk sensitive personal data being stolen by
hackers.
Are you interested in downloading free, cracked software? If so, you should know
what you’re getting into.
When you accidentally download malicious cracked software, attackers can take
everything you have on your PC, and you’ll end up without your sensitive
personal data and even without the software that you were trying to download in
the first place. This is precisely how the newly emerged FakeCrack campaign is
doing its business, enticing users into downloading fake cracked software. The
bad actors behind the campaign have utilized a vast infrastructure to deliver
malware and steal personal and other sensitive data, including crypto assets.
Interested in knowing more? Let’s dive a bit deeper.
DELIVERY INFRASTRUCTURE
The infection chain starts on dubious sites that supposedly offer cracked
versions of well-known and used software, such as games, office programs, or
programs for downloading multimedia content. All these sites are placed in the
highest positions in search engine results. The vast majority of the results on
the first page lead to compromised crack sites, and users end up downloading
malware instead of the crack. This technique is known as the Black SEO mechanism
exploiting search engine indexing techniques.
Next, a link leads to an extensive infrastructure that delivers malware. What's
interesting about this infrastructure is its scale. After clicking on the link,
the user is redirected through a network of domains to the landing page. These
domains have a similar pattern and are registered on Cloudflare using a few name
servers. The first type of domain uses the pattern freefilesXX.xyz, where XX are
digits. This domain usually only serves as a redirector. The redirect leads to
another page using the cfd top-level domain. These cfd domains serve as a
redirector as well as a landing page. Overall, Avast has protected roughly
10,000 users from being infected daily who are located primarily in Brazil,
India, Indonesia, and France.
Figure 1: Protected users on the whole delivery infrastructure (1 day period)
The landing page has different visual forms. All of them offer a link to a
legitimate file share platform, which contains a malware ZIP file. The file
sharing services abused in this campaign include, for example, the Japanese file
sharing filesend.jp or mediafire.com. An example of the landing page is shown
below.
Figure 2: Landing page
DELIVERED MALWARE
After accessing the provided link, the ZIP file is downloaded. This ZIP is
encrypted with a simple password (usually 1234) which prevents the file from
being analyzed by antivirus software. This ZIP usually contains a single
executable file, typically named setup.exe or cracksetup.exe. We collected eight
different executables that were distributed by this campaign.
These eight samples exhibit stealers' activities, focusing on scanning the
user's PC and collecting private information from the browsers, such as
passwords or credit card data. Data from electronic wallets are also being
collected. The data has been exfiltrated in encrypted ZIP format to C2 servers.
However, the ZIP file encryption key is hardcoded into the binary, so getting
the content is not difficult. The encrypted ZIP contains all information
mentioned previously, like the information about the system, installed software,
screenshot and data collected from the browser including passwords or private
data of crypto extensions.
Figure 3: Exfiltered data in ZIP
Figure 4: Zip password hardcoded in the binary
PERSISTENCE TECHNIQUES
The delivered stealer malware using two persistence techniques. Both of these
techniques were exclusively targeted at stealing crypto-related information,
which we’ll now describe in more detail.
CLIPBOARD CHANGER TECHNIQUE
In addition to stealing sensitive personal information as described above, some
of the samples also preserved persistence by dropping two additional files. The
AutoIt compiler for the case is not present on the user’s computer and the
AutoIt script. The script has been usually dropped to the
AppData\Roaming\ServiceGet\ folder and scheduled to run automatically at a
predefined time.
This script is quite large and very heavily obfuscated, but after a closer
examination, it does only a few elementary operations. For one, it periodically
checks the content of the clipboard. When it detects the presence of the crypto
wallet address in the clipboard, it changes the value of the clipboard to the
wallet address under the attacker’s control. The protection mechanism also
deletes the script after three successful changes of the wallet address in the
clipboard. The figure below shows the deobfuscated version of the part of the
script.
The periodic_clipboard_checks function is being called in an infinite loop. Each
call of the check_clipboard function checks the presence of the wallet address
in the clipboard and changes its content to the attacker’s controlled address.
The attacker is prepared for various crypto wallets, ranging from Terra, Nano,
Ronin, or Bitcoincash. The numeric parameters in the check_clipboard function
are not important and serve only for optimizations.
Figure 5: Dropped AutoIt script
In total, we identified 37 different wallets for various cryptocurrencies. Some
of them were already empty, and some of them we could not identify. However, we
checked these wallets on the blockchain and we estimate that the attacker earned
at least $50,000. Moreover, if we omit the massive drop in the price of the Luna
crypto in recent days, it was almost $60,000 in approximately a one month
period.
PROXY STEALING TECHNIQUE
The second interesting technique that we observed in connection with this
campaign was the use of proxies to steal credentials and other sensitive data
from some crypto marketplaces. Attackers were able to set up an IP address to
download a malicious Proxy Auto-Configuration script (PAC). By setting this IP
address in the system, every time the victim accesses any of the listed domains,
the traffic is redirected to a proxy server under the attacker’s control.
This type of attack is quite unusual in the context of the crypto stealing
activity; however, it is very easy to hide it from the user, and the attacker
can observe the victim's traffic at given domains for quite a long time without
being noticed. The figure below shows the content of the Proxy Autoconfiguration
Script set up by an attacker. Traffic to Binance, Huobi, and OKX cryptomarkets
is being redirected to the attacker’s controlled IP address.
Figure 6: Proxy autoconfig script
HOW TO REMOVE THE PROXY SETTINGS
This campaign is dangerous mainly due to its extension. As it was shown at the
beginning, the attacker managed to get the compromised sites to high positions
in search results. The number of protected users also shows that this campaign
is quite widespread. If you suspect your computer has been compromised, check
the proxy settings and remove malicious settings using the following procedure.
The proxy settings must be removed manually by using the following guidelines:
* Remove AutoConfigURL registry key in the
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
* Alternatively, using GUI:
* Click on the Start Menu.
* Type Settings and hit enter.
* Go to Network & Internet -> Proxy.
* Delete Script Address and click on the Save button.
* Disable the “Use a proxy server” option.
--------------------------------------------------------------------------------
For this campaign, cybercriminals abuse the brand names of popular software, by
promoting illegal, seemingly cracked versions of them to lure users into
downloading the malware. Brand names abused for this campaign are for example
"CCleaner Pro Windows", but also "Microsoft Office", “Movavi Video Editor 22.2.1
Crack" "IDM Download Free Full Version With Serial Key" "Movavi Video Editor
22.2.1 Crack" "Crack Office 2016 Full Crack + Product Key (Activator) 2022". We
recommend users to always stick to official software versions instead of cracked
versions.
Thanks to Martin Hanzlik, a high school student intern who participated in
tracking this campaign and significantly contributed to this blog post.
IOC
DELIVERY INFRASTRUCTURE
goes12by[.]cfd
baed92all[.]cfd
aeddkiu6745q[.]cfd
14redirect[.]cfd
lixn62ft[.]cfd
kohuy31ng[.]cfd
wae23iku[.]cfd
yhf78aq[.]cfd
xzctn14il[.]cfd
mihatrt34er[.]cfd
oliy67sd[.]cfd
er67ilky[.]cfd
bny734uy[.]cfd
uzas871iu[.]cfd
dert1mku[.]cfd
fr56cvfi[.]cfd
asud28cv[.]cfd
freefiles34[.]xyz
freefiles33[.]xyz
wrtgh56mh[.]cfd
MALWARE
SHA-256
bcb1c06505c8df8cf508e834be72a8b6adf67668fcf7076cd058b37cf7fc8aaf
c283a387af09f56ba55d92a796edcfa60678e853b384f755313bc6f5086be4ee
ac47ed991025f58745a3ca217b2091e0a54cf2a99ddb0c98988ec7e5de8eac6a
5423be642e040cfa202fc326027d878003128bff5dfdf4da6c23db00b5942055
c283a387af09f56ba55d92a796edcfa60678e853b384f755313bc6f5086be4ee
9254436f13cac035d797211f59754951b07297cf1f32121656b775124547dbe7
5423be642e040cfa202fc326027d878003128bff5dfdf4da6c23db00b5942055
9d66a6a6823aea1b923f0c200dfecb1ae70839d955e11a3f85184b8e0b16c6f8
STEALER C2 AND EXFILTRATION SERVERS
IP Address
185[.]250.148.76
45[.]135.134.211
194[.]180.174.180
45[.]140.146.169
37[.]221.67.219
94[.]140.114.231
CLIPBOARD CHANGER SCRIPT
SHA-256
97f1ae6502d0671f5ec9e28e41cba9e9beeffcc381aae299f45ec3fcc77cdd56
MALICIOUS PROXY SERVER
IP
104[.]155.207.188
SHA-256
e5286671048b1ef44a4665c091ad6a9d1f77d6982cf4550b3d2d3a9ef1e24bc7
RELATED ARTICLES
A NEW WAVE OF PERSONALIZED SEXTORTION SCAMS—USING GOOGLE STREET VIEW IMAGES TO
STARTLE TARGETS
New-and-improved sextortion scam emails are being used to target people in the
US and Canada, employing a more personalized and invasive approach than ever
seen before.
24 Sep 2024 14 min read
RANSOMWARE ATTACKS CONTINUE TO INCREASE IN THE US, UK, AND CANADA
The Gen Threat Report, formerly known as the Avast Threat Report, has revealed a
100% increase in ransomware activity for the US, UK, and Canada; 66% in
Australia; and a whopping 379% in India.
4 Sep 2024 16 min read
YOU’RE TELLING ME THAT AD WAS FAKE? MALVERTISING IS SNEAKIER THAN EVER
The quality of malicious ads has improved immensely, making it harder for users
to distinguish between what’s real or fake.
3 Jul 2024 5 min read
MOST POPULAR
THE HIDDEN PITFALLS OF TRAVEL APPS
6 Jun 2024
VIDEO: ACCEPT ALL COOKIES? A RECIPE FOR ONLINE PRIVACY THIS HOLIDAY SEASON
11 Dec 2023
HOW TO USE DISCORD’S ‘FAMILY CENTER’ TO HELP PROTECT YOUR CHILD
24 Jul 2023
AVAST RESEARCHERS UNCOVER DISTURBING CROWDFUNDING SCHEME
28 Jun 2023
YOUR ESSENTIAL CYBERSECURITY CHECKLIST FOR SAFE SUMMER TRAVEL
14 Jun 2023
FOLLOW US
1988 - 2024 Copyright © Avast Software s.r.o. | Sitemap Privacy policy
--> -->