Thursday, October 10, 2024
HomeCyber Security NewsBeware of Fake CCleaner Search Results that Deliver Information-stealing Malware

Beware of Fake CCleaner Search Results that Deliver Information-stealing Malware

Published on

The recently emerged ‘FakeCrack’ campaign has been disclosed by the researchers of Avast. The malware campaign tempts users into downloading fake cracked software.

Researchers say the bad actors behind the campaign have utilized a vast infrastructure to deliver malware and steal personal and other sensitive data, including crypto assets.

The Black SEO Mechanism

The infection stems from dubious sites that allegedly offer cracked versions of well-known and used software, such as games, office programs, or programs for downloading multimedia content. These sites are placed in the highest positions in search engine results.

- Advertisement - EHA

Google Search Results Highlighting Malicious Sites

The majority of the results on the first page highlighted in the above image, lead to compromised crack sites and the user ends up downloading malware instead of the crack. This is called the Black SEO mechanism exploiting search engine indexing techniques.

Upon clicking the link, the user is redirected through a network of domains to the landing page. These domains have a similar pattern and are registered on Cloudflare using a few name servers.

Avast researchers say “Overall, Avast has protected roughly 10,000 users from being infected daily who are located primarily in Brazil, India, Indonesia, and France.”

The search results take the victim through various websites that finally display a landing page that contains a malware ZIP file. For instance the Japanese file-sharing filesend.jp or mediafire.com. Researchers say the ZIP is password-protected using a weak PIN like “1234,” which is merely there to protect the payload from anti-virus detection.

Landing Page

This ZIP contains a single executable file, normally named setup.exe or cracksetup.exe. Researchers collected eight different executables that were distributed by this campaign.

Information Stealing Malware

The malicious code gathers sensitive information from the PC, including passwords or credit card data from the browser and wallets’ credentials. Then the data are uploaded to the C2 servers in encrypted ZIP format, the researchers noticed that the ZIP file encryption key is hardcoded into the binary, which means that it could be easy to access it.

Researchers mention that the clipboard hijacking feature works with a variety of cryptocurrency addresses, including those for Bitcoin, Ethereum, Cardano, Terra, Nano, Ronin, and Bitcoin Cash addresses. The malware also uses proxies to steal cryptocurrency market account credentials using a man-in-the-middle attack that’s very tough for the victim to identify.

Therefore, if you suspect your computer has been compromised, check the proxy settings and remove malicious settings using the following procedure.

  • Remove AutoConfigURL registry key in the HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings

Victims can disable it by navigating to Network & internet on Windows Settings and switching the “Use a proxy server” option to ‘off’.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Mozilla Warns Of Firefox Zero-Day Actively Exploited In Cyber Attacks

A critical use-after-free vulnerability affecting Firefox and Firefox Extended Support Release (ESR) is being...

SpyCloud Embeds Identity Analytics in Cybercrime Investigations Solution to Accelerate Insider and Supply Chain Risk Analysis & Threat Actor Attribution

IDLink, SpyCloud’s new automated digital identity correlation capability, is now core to its industry-leading...

Abusix and Red Sift Form New Partnership, Leveraging Automation to Mitigate Cyber Attacks

The agreement has marked over 600,000 fraudulent domains for takedown in just two months...

Hackers Exploiting Zero-day Flaw in Qualcomm Chips to Attack Android Users

Hackers exploit a zero-day vulnerability found in Qualcomm chipsets, potentially affecting millions worldwide.The flaw,...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Hackers Exploiting Zero-day Flaw in Qualcomm Chips to Attack Android Users

Hackers exploit a zero-day vulnerability found in Qualcomm chipsets, potentially affecting millions worldwide.The flaw,...

Foxit PDF Reader Vulnerability Let Attackers Execute Arbitary Code

Researchers recently disclosed six new security vulnerabilities across various software, as one critical vulnerability...

Wireshark 4.4.1 Released, What’s new!

Wireshark, the world’s leading network protocol analyzer, has just released version 4.4.1, bringing a...