There are many ways to spread malware to end-user machines. For consumers, one of the most commonly encountered and unfortunately successful attacks is social engineering. That’s where the user is tricked into allowing the malware onto their machine, or even actively installing it themselves.
To do so, the attacker must not only present a convincing case to the user that the malware is legitimate and benevolent but also bypass any security mechanisms that would interfere with this scheme.
Researchers from Avira, part of NortonLifeLock Inc., have been tracking a long-running campaign that specializes in distributing malware through what appears to be cracked, or illegal, versions of various legitimate software. Such versions are served through web fronts that act as intermediaries and give the impression that the downloads are legitimate – at least as legitimate as a software cracks can get.
The campaign appears to serve many different crimeware groups and can deliver many different malwares.
Later in this article, we have detailed the adoption by ServHelper Backdoor Dropper.
The first and foremost place where users look for cracks, game trainers, game mods, or license serial numbers is on Google or other popular search engines. From an attacker perspective, it’s desirable to get into these top search results so that the user is driven toward downloading the malware.
To achieve this, the attacker employs what is known as SEO – search engine optimization. There’s nothing nefarious about this. SEO is a common practice for gaining more visibility on the web.
The attacker download sites are being made visible through the creation of SEO-friendly tags, as well as by creating multiple pages with popular software tags. This enables these highly malicious web sites to show up near the top of a regular Google search.
Most of the final payload — the malicious code — is not directly accessible. The user needs to click through one or more web fronts that are designed to look like the type of semi-legitimate websites that might host cracked content. These frontline delivery pages include entries on popular social media sites like Facebook, Twitter, Reddit, and YouTube.
The main purpose of these frontline pages is to serve the download URL to the final payload or sometimes to link to another intermediate custom-designed fake website hosting the final payload.
Depending on the crimeware group, intermediate pages may or may not be present. Some groups are extremely cautious about not getting the final payload delivered into antivirus companies’ automated crawlers or other search engine crawlers. So attackers add additional scripts to check that it’s a real human trying to download the final payload. Those methods are discussed in detail later in this article.
Intermediate pages are usually hosted either on free hosting services or on private domains purchased by the attackers.
Which hosting services are used vary and may depend on the crimeware group. Registrations are privacy-protected.
We observed attackers heavily abusing legitimate free web-hosting services like Weebly, Google Sites, Wix, and Google Groups. An advantage of using free webhosting services is that attackers can also leverage other free services provided from the vendor like SEO, which will add value to attackers in hitting top search engine results.
Before delivering the final payload, the intermediate pages are also responsible for some anti-analysis and anti-crawling techniques. These methods may differ between crime groups, but the final aim is to avoid automatic downloads by crawlers and malware collector machines.
Requests to websites normally contain a referer field. This identifies which site the user came from before arriving at the malicious page. The attackers check if the referer is a popular search engine before proceeding further. This will filter out many automated crawlers.
List of allowed referers are
The next check is User-Agent. The User-Agent field is meant to identify which process sent the web request (normally a browser). However, if the User-Agent matches any crawlers or bots, the attacker will simply skip delivering the payload. Below are User-Agents that are blacklisted by the attackers.
SourceCode View Protection:
This is a simple analysis-prevention trick where the sourcecode of the website is blocked from viewing through a browser. This is done by using a keyboard shortcut or through the context menu and is presented as an Alert message. Source code can still be achieved by alternative methods.
In this method, the attackers will not deliver the payload to the same IP address again. The motive behind this is to avoid any other crawlers that bypassed earlier checks. Another motive may be to track victim counts based on geography. One crime group leverages a Google STUN server to determine a victim’s externally visible IP address.
Captcha/I am not Robot :
Some crime groups implement “Captcha/I am not a robot” functionality on their pages. This is yet another way to avoid crawlers and perhaps help make victims believe the page is legitimate. This was usually the last check before delivering the payload.
Password Protection & disabling antivirus:
When the payload is finally delivered, it is usually in the form of a password-protected archive. The password will be part of the delivery or will be separately displayed. In most cases, they are not connected together. This is another way to avoid robots from getting the real content. Connecting a collected archive and a password delivered separately is hard to do automatically.
The final payload may also display instructions to the user to turn off antivirus and firewalls. This is a social engineering technique to trick the user into installing malware without any complications from the security software. This can be a very effective technique as we have confirmed with telemetry.
Payloads differ based on the crime group involved , so far we have seen a mix of different malware ranging from highly dangerous ransomware, backdoors, and information stealers to potentially unwanted programs and unwanted browser extensions. Each crimeware group has its own metadata pattern that they follow for a certain period of time. For example, some may have a pattern in payload naming, the filetype format they use, or specific password selection across different payloads.
Below are some of the recent naming patterns, and most of them will be present inside password protected zips
<popularsoftwarename>-_<9 digit>.exe,example: adobe-_128022649.exe
<popularsoftwarename>_<9 digit>.exe,example: excel_829982821.exe
<4 digit_SETUP.ZIP> -malware dll name inside will be msimg32.dll
Some families that were regularly detected were Download Assistant, CoinLoader, Redline Stealer, Predator The Thief, CyberGate Rat, and ServHelper backdoor. Most of these payloads are well-documented.
But, while analysing the ServHelper backdoor dropper, we came across its adoption of Alternate Data Streams (ADS) and the bundling with a legitimate Telegram messaging setup.
TA505 ServHelper Dropper Adaptation - ADS & Telegram Bundling
While checking telemetry of victims from malicious websites, we noticed a RAR SFX sample, which in our cloud sandbox dropped further files in an Alternate Data Stream (example hash : 0d898368a1d4e605e15963dfeaf87cdde82107a8a158743b5753dec961d2872e). This was found to be a ServHelper backdoor from TA505. ADS is always an interesting trigger to dig into further, and later investigation revealed that these RAR SFX files were coming from two different sources:
- Installed via an initial infection from Download Assistant family, (example hash: 247d92f74a4d6f944cc7fa3f3b88872667ff405c758cb1c4da54fad98ac01f9c) which came from the above-mentioned fake crack websites.
- Installed via a CAB SFX filetype bundle, which bundles the Servhelper dropper and a legitimate Windows Telegram Setup. This is commonly archived and spread by the name tsetup.2.5.1 (example archive hash: ada6c389df1c10f170e50d4512e0d6b97eff06b94039aa860dae657ee202deda). The name is chosen to mimic the real Telegram setup.
As mentioned, the bundle is a CAB SFX file and uses two CAB SFX commands:
RUNPROGRAM – This command is used to execute the legitimate Telegram Setup. POSTRUNPROGRAM – This command is used to execute the RAR SFX mentioned below, which drops the ServHelper backdoor.
This bundle was mostly hosted in discordcdn. This is the file-hosting service of the Discord chat platform, which attackers have recently abused as a malware-hosting hotbed. Another dropper was hosted on hxxps://tsetup.net/tsetup.2.5.1.zip, mimicking the hostname of the real telegram setup.
The dropper RARSFX mainly contained three files:
- Legitimate file with the ServHelper dropper stored in DLL format in its Alternate Data Stream
- BAT File – This starts the DLL in the ADS using files using rundll32.exe
- LNK file – This points to the BAT file
The Setup command from RARSFX is used to start the LNK, which triggers the bat and finally the servhelper backdoor dll in ADS using Rundll32.
An additional task of the BAT file is to release and renew the IP address of the adapter.
The malicious DLL is a 64bit UPX-packed executable. In its unpacked state it’s a Delphi-based wrapper. There were no other behavioral changes we noticed from the second stage – it was having the usual ServHelper Powershell Script, UAC escalation via SilentCleanup technique, the copying of wscript.exe, and maintaining persistence via TermService ServiceDll.
Based on our telemetry, the victim geography of this ADS-based ServHelper backdoor was spread across the United States, as well as a few countries in Europe and Asia. The earliest sample was from November 2020.
Spreading malware via fake cracks is not a new vector in malware distribution, but recently the number of distributors is alarmingly high. We believe social engineering tricks still work far too well for getting access to consumer machines.
Most infection scenarios involve victims being lured with an entry point like a spam email. But here it’s reversed — victims go looking for content themselves and fall into a malware trap.
These fake crack packages used to install adware and PUAs — short for potentially unwanted applications — most of the time. They’ve switched over to real malware like Trojans, Backdoor, and Stealers, and they install a lot of different families. This results in badly infected systems, if the user falls for the social engineering.
You should never turn off your security solution based on instructions from a website you don’t implicitly trust.
We would like to thank Snorre Fagerland from Norton Protection Labs for the support he provided us during the research.
Indicator of Compromise:
SERVHELPER RARSFX ADS DROPPER(BUNDLED With TELEGRAM FILE TYPE CABSFX)
RARSFX ADS SERVHELPER DROPPERS
Fake crack websites, listed below are few of them only :
Innovations from Norton Labs are for research, evaluation, and consumer feedback purposes. NortonLifeLock does not give any warranties as to the suitability or usability of these prototypes and recommends safeguarding data and reviewing all terms and conditions before use.
Copyright © 2021 NortonLifeLock Inc. All rights reserved. NortonLifeLock, the NortonLifeLock Logo, the Checkmark Logo, Norton, LifeLock, and the LockMan Logo are trademarks or registered trademarks of NortonLifeLock Inc. or its affiliates in the United States and other countries.
We encourage you to share your thoughts on your favorite social platform.