Tuesday, February 11, 2025
HomeCyber Security NewsBeware of Fake CCleaner Search Results that Deliver Information-stealing Malware

Beware of Fake CCleaner Search Results that Deliver Information-stealing Malware

Published on

SIEM as a Service

Follow Us on Google News

The recently emerged ‘FakeCrack’ campaign has been disclosed by the researchers of Avast. The malware campaign tempts users into downloading fake cracked software.

Researchers say the bad actors behind the campaign have utilized a vast infrastructure to deliver malware and steal personal and other sensitive data, including crypto assets.

The Black SEO Mechanism

The infection stems from dubious sites that allegedly offer cracked versions of well-known and used software, such as games, office programs, or programs for downloading multimedia content. These sites are placed in the highest positions in search engine results.

Google Search Results Highlighting Malicious Sites

The majority of the results on the first page highlighted in the above image, lead to compromised crack sites and the user ends up downloading malware instead of the crack. This is called the Black SEO mechanism exploiting search engine indexing techniques.

Upon clicking the link, the user is redirected through a network of domains to the landing page. These domains have a similar pattern and are registered on Cloudflare using a few name servers.

Avast researchers say “Overall, Avast has protected roughly 10,000 users from being infected daily who are located primarily in Brazil, India, Indonesia, and France.”

The search results take the victim through various websites that finally display a landing page that contains a malware ZIP file. For instance the Japanese file-sharing filesend.jp or mediafire.com. Researchers say the ZIP is password-protected using a weak PIN like “1234,” which is merely there to protect the payload from anti-virus detection.

Landing Page

This ZIP contains a single executable file, normally named setup.exe or cracksetup.exe. Researchers collected eight different executables that were distributed by this campaign.

Information Stealing Malware

The malicious code gathers sensitive information from the PC, including passwords or credit card data from the browser and wallets’ credentials. Then the data are uploaded to the C2 servers in encrypted ZIP format, the researchers noticed that the ZIP file encryption key is hardcoded into the binary, which means that it could be easy to access it.

Researchers mention that the clipboard hijacking feature works with a variety of cryptocurrency addresses, including those for Bitcoin, Ethereum, Cardano, Terra, Nano, Ronin, and Bitcoin Cash addresses. The malware also uses proxies to steal cryptocurrency market account credentials using a man-in-the-middle attack that’s very tough for the victim to identify.

Therefore, if you suspect your computer has been compromised, check the proxy settings and remove malicious settings using the following procedure.

  • Remove AutoConfigURL registry key in the HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings

Victims can disable it by navigating to Network & internet on Windows Settings and switching the “Use a proxy server” option to ‘off’.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Apple iOS 0-day Vulnerability Exploited Wild in Extremely Sophisticated Attack

Apple has released emergency security updates to address a zero-day vulnerability, CVE-2025-24200, that has...

SHA256 Hash Calculation from Data Chunks

The SHA256 algorithm, a cryptographic hash function, is widely used for securing data integrity...

New Report of of 1M+ Malware Samples Show Application Layer Abused for Stealthy C2

A recent analysis of over one million malware samples by Picus Security has revealed...

Seven-Year-Old Linux Kernel Bug Opens Door to Remote Code Execution

Researchers have uncovered a critical vulnerability in the Linux kernel, dating back seven years,...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Apple iOS 0-day Vulnerability Exploited Wild in Extremely Sophisticated Attack

Apple has released emergency security updates to address a zero-day vulnerability, CVE-2025-24200, that has...

SHA256 Hash Calculation from Data Chunks

The SHA256 algorithm, a cryptographic hash function, is widely used for securing data integrity...

New Report of of 1M+ Malware Samples Show Application Layer Abused for Stealthy C2

A recent analysis of over one million malware samples by Picus Security has revealed...