Beware of Fake CCleaner Search Results that Deliver Information-stealing Malware

The recently emerged ‘FakeCrack’ campaign has been disclosed by the researchers of Avast. The malware campaign tempts users into downloading fake cracked software.

Researchers say the bad actors behind the campaign have utilized a vast infrastructure to deliver malware and steal personal and other sensitive data, including crypto assets.

The Black SEO Mechanism

The infection stems from dubious sites that allegedly offer cracked versions of well-known and used software, such as games, office programs, or programs for downloading multimedia content. These sites are placed in the highest positions in search engine results.

Google Search Results Highlighting Malicious Sites

The majority of the results on the first page highlighted in the above image, lead to compromised crack sites and the user ends up downloading malware instead of the crack. This is called the Black SEO mechanism exploiting search engine indexing techniques.

Upon clicking the link, the user is redirected through a network of domains to the landing page. These domains have a similar pattern and are registered on Cloudflare using a few name servers.

Avast researchers say “Overall, Avast has protected roughly 10,000 users from being infected daily who are located primarily in Brazil, India, Indonesia, and France.”

The search results take the victim through various websites that finally display a landing page that contains a malware ZIP file. For instance the Japanese file-sharing filesend.jp or mediafire.com. Researchers say the ZIP is password-protected using a weak PIN like “1234,” which is merely there to protect the payload from anti-virus detection.

Landing Page

This ZIP contains a single executable file, normally named setup.exe or cracksetup.exe. Researchers collected eight different executables that were distributed by this campaign.

Information Stealing Malware

The malicious code gathers sensitive information from the PC, including passwords or credit card data from the browser and wallets’ credentials. Then the data are uploaded to the C2 servers in encrypted ZIP format, the researchers noticed that the ZIP file encryption key is hardcoded into the binary, which means that it could be easy to access it.

Researchers mention that the clipboard hijacking feature works with a variety of cryptocurrency addresses, including those for Bitcoin, Ethereum, Cardano, Terra, Nano, Ronin, and Bitcoin Cash addresses. The malware also uses proxies to steal cryptocurrency market account credentials using a man-in-the-middle attack that’s very tough for the victim to identify.

Therefore, if you suspect your computer has been compromised, check the proxy settings and remove malicious settings using the following procedure.

• Remove AutoConfigURL registry key in the HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings

Victims can disable it by navigating to Network & internet on Windows Settings and switching the “Use a proxy server” option to ‘off’.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.