Cybercriminals have established a large-scale infrastructure with the goal of delivering info-stealing and crypto-stealing malware to their victims. The malware threats are presented to users as cracked versions of legitimate software products, videogames and other licensed applications. To find these cracked versions, users visit various dubious websites. However, the operators of this campaign also have utilized Black SEO techniques so that their corrupted websites appear among the top results delivered by search engines.
Details about the campaign and the malware it delivers were revealed in a report by the cybersecurity experts, who track under the name FakeCrack. According to their findings, the targets of the harmful operation were mostly located in Brazil, India, Indonesia and France. In addition, they believe that the cybercriminals behind FakeCrack have so far managed to siphon out over $50, 000 in crypto assets from their victims.
The malware delivered in the FakeCrack campaign arrives on the victims' machines in the form of ZIP files. The archives are encrypted with a common or simple password, such as 1234 but it is still efficient enough to prevent anti-malware solutions from analyzing the contents of the file. When opened, users are likely to find a single file named 'setup.exe' or 'cracksetuo.exe' inside the archive.
Once the file is activated, it will execute the malware on the system. The first step of the threats dropped as part of FakeCrack is to scan the victim's PC and collect private information, including account credentials, credit/debit card data and details from several crypto-wallet applications. All extracted information is packaged inside an encrypted ZIP file and exfiltrated to the Command-and-Control (C2, C&C) servers of the operation. The researchers discovered that the decryption keys for the uploaded files are hardcoded into them, which makes accessing the content inside them far easier.
The FakeCrack malware threats exhibited two interesting techniques. First, they dropped a rather large but heavily obfuscated script on the infected systems. The main function of this script is to monitor the clipboard. Upon detecting a suitable crypto-wallet address saved in the clipboard, the malware will substitute it with the address of a wallet controlled by the hackers. After three successful changes, the script will be deleted.
The second technique involves setting up an IP address that downloads a corrupted PAC (Proxy Auto-Configuration) script. When victims try to visit any of the targeted domains, their traffic would be redirected to a proxy server controlled by the cybercriminals. This technique is fairly unusual when it comes to crypto-stealers, but it allows the hackers to observe the traffic of their victims over prolonged periods, with minimal chances of being noticed.