Monday, December 23, 2024
HomeCyber Security NewsBeware of Fake CCleaner Search Results that Deliver Information-stealing Malware

Beware of Fake CCleaner Search Results that Deliver Information-stealing Malware

Published on

SIEM as a Service

The recently emerged ‘FakeCrack’ campaign has been disclosed by the researchers of Avast. The malware campaign tempts users into downloading fake cracked software.

Researchers say the bad actors behind the campaign have utilized a vast infrastructure to deliver malware and steal personal and other sensitive data, including crypto assets.

The Black SEO Mechanism

The infection stems from dubious sites that allegedly offer cracked versions of well-known and used software, such as games, office programs, or programs for downloading multimedia content. These sites are placed in the highest positions in search engine results.

- Advertisement - SIEM as a Service

Google Search Results Highlighting Malicious Sites

The majority of the results on the first page highlighted in the above image, lead to compromised crack sites and the user ends up downloading malware instead of the crack. This is called the Black SEO mechanism exploiting search engine indexing techniques.

Upon clicking the link, the user is redirected through a network of domains to the landing page. These domains have a similar pattern and are registered on Cloudflare using a few name servers.

Avast researchers say “Overall, Avast has protected roughly 10,000 users from being infected daily who are located primarily in Brazil, India, Indonesia, and France.”

The search results take the victim through various websites that finally display a landing page that contains a malware ZIP file. For instance the Japanese file-sharing filesend.jp or mediafire.com. Researchers say the ZIP is password-protected using a weak PIN like “1234,” which is merely there to protect the payload from anti-virus detection.

Landing Page

This ZIP contains a single executable file, normally named setup.exe or cracksetup.exe. Researchers collected eight different executables that were distributed by this campaign.

Information Stealing Malware

The malicious code gathers sensitive information from the PC, including passwords or credit card data from the browser and wallets’ credentials. Then the data are uploaded to the C2 servers in encrypted ZIP format, the researchers noticed that the ZIP file encryption key is hardcoded into the binary, which means that it could be easy to access it.

Researchers mention that the clipboard hijacking feature works with a variety of cryptocurrency addresses, including those for Bitcoin, Ethereum, Cardano, Terra, Nano, Ronin, and Bitcoin Cash addresses. The malware also uses proxies to steal cryptocurrency market account credentials using a man-in-the-middle attack that’s very tough for the victim to identify.

Therefore, if you suspect your computer has been compromised, check the proxy settings and remove malicious settings using the following procedure.

  • Remove AutoConfigURL registry key in the HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings

Victims can disable it by navigating to Network & internet on Windows Settings and switching the “Use a proxy server” option to ‘off’.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Skuld Malware Using Weaponized Windows Utilities Packages To Deliver Malware

Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer...

BellaCiao, A new .NET Malware With Advanced Sophisticated Techniques

An investigation revealed an intrusion in Asia involving the BellaCiao .NET malware, as the...

Malicious Apps On Amazon Appstore Records Screen And Interecpt OTP Verifications

A seemingly benign health app, "BMI CalculationVsn," was found on the Amazon App Store,...

Lazarus Hackers Using New VNC Based Malware To Attack Organizations Worldwide

The Lazarus Group has recently employed a sophisticated attack, dubbed "Operation DreamJob," to target...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Skuld Malware Using Weaponized Windows Utilities Packages To Deliver Malware

Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer...

BellaCiao, A new .NET Malware With Advanced Sophisticated Techniques

An investigation revealed an intrusion in Asia involving the BellaCiao .NET malware, as the...

Malicious Apps On Amazon Appstore Records Screen And Interecpt OTP Verifications

A seemingly benign health app, "BMI CalculationVsn," was found on the Amazon App Store,...