Disguised Malware Distribution Techniques

How attackers use fake software websites, search engines, social media platforms, and social engineering to deliver malware

Hackers can use many methods to spread malware to end-user machines. For consumers, one of the most common and unfortunately successful attacks is social engineering. In this method, the user is tricked into allowing the malware onto their machine or even actively, but unknowingly, installing it themselves. 1

To do so, the attackers must present a convincing case to the user that the malware is legitimate and benevolent, plus they’ll have to bypass any security mechanisms that would interfere with this scheme. Researchers from

Avira, part of NortonLifeLock Inc., have been tracking a long-running campaign specialising in distributing malware through what appears to be cracked, or illegal, versions of various legitimate software. Such illicit versions of applications and software are served through web fronts that act as intermediaries and give the impression that the downloads are legitimate, at least it appears to be.

The campaign appears to serve many different crimeware groups and can deliver much more malware.

Later in this article, we have detailed the adoption by ServHelper Backdoor Dropper.

Methods

Most of the time, the first steps are taken by the users themselves. They might be looking for software cracks, game trainers, game mods, or license serial numbers is on Google or other popular search engines. From an attacker's perspective, it’s desirable to get into these top search results so that the user downloads malicious software instead of the legitimate one.

To do that, the attacker uses what is known as SEO – search engine optimisation. There’s nothing wicked about this because SEO is a common practice for gaining more visibility on the web, and most legal sites use this as well.

The attackers make their downloading sites visible by creating SEO-friendly tags and creating multiple pages with popular software tags. This enables their highly malicious websites to show up near the top of a regular Google search.

Web delivery:

Usually, the final payload, or the malicious code, won’t directly be installed on a device just by visiting an infectious website. The user needs to click through one or more web fronts designed to look like the type of semi-legitimate websites that might be hosting cracked content. These frontline delivery pages include ads on popular social media sites like Facebook, Twitter, Reddit, and YouTube. 2

The main purpose of these frontline pages is to serve as a disguise to make it appear like a legitimate website. The primary process begins when a user browses the download URL to the final payload, or sometimes, the page just redirects you to another intermediate custom-designed fake website hosting the final payload.

Depending on the crimeware group, intermediate pages may or may not be present on the sites. Some groups are highly cautious about not letting their final payload interact with antivirus companies’ automated crawlers or other search engine crawlers. To achieve that, attackers add additional scripts to ensure an actual human is trying to download the final payload. Those methods are discussed in detail later in this article.

Intermediate pages are usually hosted either on free hosting services or private domains purchased by the attackers.

Figure 3: Intermediate private domain pages hosted over HTTPS Different attacking groups might use different hosting services. Registrations are privacy-protected

Attackers were observed heavily abusing legitimate free web-hosting services like Weebly, Google Sites, Wix, and Google Groups. An advantage of using free Webhosting services is that attackers can also use tools like SEO optimisation, which will ultimately help them in hitting top search engine results.

Anti-Analysis Checks:

The intermediate pages are also responsible for some anti-analysis and anti-crawling techniques before delivering the final payload. These methods may differ between crime groups, but the final aim is to avoid automatic downloads by crawlers and malware collector machines.

Referer Check:

Normally, requests to websites contain a referer field. This identifies which site the user came from before visiting the malicious page. That way, the attackers can check if the referer is a popular search engine before proceeding further. This will filter out many automated crawlers.

List of allowed referers are

• Yandex
• Google
• Rambler
• Bing
• Mail
• Yahoo
• Msn
• AOL
• Duckduckgo
• Live

User-Agent :

The next check is User-Agent. The User-Agent field is supposed to identify which process sent the web request (usually a browser). However, if the User-Agent recognises any crawlers or bots, attackers will simply skip the payload delivery. Below are User-Agents that the attackers have blacklisted.

• Rambler
• Yandex
• Google
• Yahoo
• Googlebot
• Turtle

SourceCode View Protection:

This is a simple analysis-prevention trick where the website's sourcecode is blocked from viewing through a browser. This is done using a keyboard shortcut or through the context menu and is presented as an Alert message. Using alternative methods, we can still achieve source code.

IP Filtering:

In this method, the attackers do not deliver the payload to the same IP address again. Attackers do this to avoid any other crawlers that bypassed earlier checks, and maybe to track victim counts based on geography. One crime group uses a Google STUN server to determine a victim’s externally visible IP address.

Captcha/I am not Robot :

Some crime groups implement the “Captcha/I am not a robot” function on their pages. This is yet another way to avoid crawlers and perhaps make the pages seem more legitimate and believable for victims. This was usually the last check before delivering the payload.

Password Protection & disabling antivirus:

Usually, the final payload is delivered in the form of a password-protected archive. The password will be part of the delivery or will be displayed separately. In most cases, they are not connected together. This is another way to prevent robots from getting actual content. Connecting a gathered archive and a password delivered separately is hard to automate.

The user may receive displayed instructions from the final payload to turn off antivirus and firewalls. This is a social engineering technique to trick the user into installing malware without being intercepted by the security software. This can be a very effective technique, as we have confirmed with telemetry.

Payload:

Payloads may differ based on the active criminal group. So far, we have noticed a mix of various malware ranging from highly dangerous ransomware, backdoors, and information stealers to potentially unwanted programs and browser extensions. Each crimeware group has its own metadata pattern that they follow for a certain period. For example, some may have a pattern in payload naming, the filetype format they use, or specific password selection across different payloads.

Below are some of the recent naming patterns, and most of them will be present inside password-protected zips

setup_x86_x64_install.exe
setup_install.exe
SetupFille-v34.0.2.exe
32_64_ver_1_bit.exe
MainFile-v21.5.02.exe
Tsetup.exe
<popularsoftwarename>-_<9 digit>.exe,example: adobe-_128022649.exe
<popularsoftwarename>_<9 digit>.exe,example: excel_829982821.exe
<4 digit_SETUP.ZIP> -malware dll name inside will be msimg32.dll

Some regularly detected families were Download Assistant, CoinLoader, Redline Stealer, Predator The Thief, CyberGate Rat, and ServHelper backdoor. Most of these payloads are well-documented.

But, while analysing the ServHelper backdoor dropper, we came across its adoption of Alternate Data Streams (ADS) and the bundling with a legitimate Telegram messaging setup.

TA505 ServHelper Dropper Adaptation - ADS & Telegram Bundling

While checking the telemetry of victims from malicious websites, we noticed a RAR SFX sample, which dropped
further files in an Alternate Data Stream in our cloud sandbox (example hash: 0d898368a1d4e605e15963dfeaf87cdde82107a8a158743b5753dec961d2872e). This was found to be a ServHelper backdoor from TA505. ADS is always an interesting trigger to dig into further, and later investigation revealed that these RAR SFX files were coming from two different sources:

• Installed via an initial infection from  Download Assistant family, (example hash: 247d92f74a4d6f944cc7fa3f3b88872667ff405c758cb1c4da54fad98ac01f9c) which came from the above-mentioned fake crack websites.
• Installed via a CAB SFX filetype bundle, which bundles the Servhelper dropper and a legitimate Windows Telegram Setup. This is commonly archived and spread by the name tsetup.2.5.1 (example archive hash: ada6c389df1c10f170e50d4512e0d6b97eff06b94039aa860dae657ee202deda). The name is chosen to impersonate the original Telegram setup.

Telegram Bundling:

As mentioned, the bundle is a CAB SFX which uses two CAB SFX commands:

RUNPROGRAM – This command is used to execute the legitimate Telegram Setup, while the “POSTRUNPROGRAM” command is used to execute the RAR SFX mentioned below, which drops the ServHelper backdoor.

This bundle mainly was hosted in discordcdn. This is the file-hosting service of the Discord chat platform, which attackers are recently abusing as a malware-hosting hotbed. Another dropper was hosted on hxxps://tsetup.net/tsetup.2.5.1.zip, mimicking the hostname of the original telegram setup.

RARSFX Dropper

The dropper RARSFX mainly contained three files:

• Legitimate file with the ServHelper dropper stored in DLL format in its Alternate Data Stream
• BAT File – This starts the DLL in the ADS using files using rundll32.exe
• LNK file – This points to the BAT file

The Setup command from RARSFX is used to start the LNK, which triggers the bat, and finally, the servhelper backdoor dll in ADS using Rundll32.

An additional task of the BAT file is to release and renew the IP address of the adapter.

The malicious DLL is a 64bit UPX-packed executable. In its unpacked state, it’s a Delphi-based wrapper. We noticed no other behavioural changes from the second stage – it had the usual ServHelper Powershell Script, UAC escalation via SilentCleanup technique, the copying of wscript.exe, and maintaining persistence via TermService ServiceDll.

Based on our telemetry, the victim geography of this ADS-based ServHelper backdoor was spread across the United States and a few countries in Europe and Asia. The earliest sample was from November 2020.

Conclusion:

Spreading malicious software via fake cracks is not a new technique in malware distribution, but recently the number of distributors is worryingly high. We believe social engineering tricks still work far too well for attackers to access consumer devices.

Most often, users are tricked into following links and attachments sent by hackers as spam email. But in this case, it’s the opposite — victims go looking for content themselves and fall into a malware trap via malicious websites.

These fake crack packages are used to install adware and PUAs — short for potentially unwanted applications — on the victim’s devices. They’ve switched over to actual malware like Trojans, Backdoor, and Stealers, and they install many different families. 3 This results in badly infected systems if the user falls for social engineering.

You must never turn off your security software and firewalls while downloading anything, simply based on instructions from a website you’ve never visited.

We would like to thank Snorre Fagerland from Norton Protection Labs for his support during the research.

1 https://in.norton.com/internetsecurity-online-scams-social-engineering-scams-on-social-media.html 

2 https://in.norton.com/internetsecurity-online-scams-social-engineering-scams-on-social-media.html

3 https://in.norton.com/internetsecurity-malware-what-is-a-trojan.html