Traffic Exchange Networks deliver Malware through Cracked Software
Researchers have found a campaign that influences a network of websites substituting as “dropper as a service” to transfer malware payloads to victims searching for cracked software.
According to Sophos’ report, these malware include a collection of click fraud bots, Trojans, and ransomware. The attacks work by using bait pages hosted on WordPress that have download options for software packages. This, when clicked, redirects the affected person to a website that transfers unwanted browser plug-ins and malware. These include installers for Raccoon Stealer, Stop ransomware, the Glupteba backdoor, along with a variety of infected cryptocurrency miners that disguise as antivirus solutions.
The researchers pointed out that anyone visiting these sites is encouraged to allow notifications, and if they do so, the websites issue false malware alerts continuously. Once clicked, they’re routed through a number of websites till they land a destination that’s revealed by the operating system of the visitor, their browser type, and geographic location.
Website links appear on top of the search results through search engine optimization when users look for pirated versions of software apps. These activities allow cyber actors to tailor their campaigns according to geographical targeting.
Researchers also came across a number of services that act as “go-betweens” to established advertising networks that compensate for traffic to the publishers of websites.
This is not the first time websites have been leveraged as an infection vector by attackers. In June 2021, there was an attack where a cryptocurrency miner, Crackonosh abused the mechanism to install XMRig, a coin miner package for exploiting the victim’s resources to mine Monero.
Then only a month later, MosaicLoader malware was found victimizing individuals looking for cracked software. This was part of a campaign to deploy a backdoor skilled to rope compromised Windows systems into a botnet.