Traffic Exchange Networks Distributing Malware Disguised as Cracked Software

Cracked Software

An ongoing campaign has been found to leverage a network of websites acting as a “dropper as a service” to deliver a bundle of malware payloads to victims looking for “cracked” versions of popular business and consumer applications.

“These malware included an assortment of click fraud bots, other information stealers, and even ransomware,” researchers from cybersecurity firm Sophos said in a report published last week.

The attacks work by taking advantage of a number of bait pages hosted on WordPress that contain “download” links to software packages, which, when clicked, redirect the victims to a different website that delivers potentially unwanted browser plug-ins and malware, such as installers for Raccoon Stealer, Stop ransomware, the Glupteba backdoor, and a variety of malicious cryptocurrency miners that masquerade as antivirus solutions.

“Visitors who arrive on these sites are prompted to allow notifications; If they allow this to happen, the websites repeatedly issue false malware alerts,” the researchers said. “If the users click the alerts, they’re directed through a series of websites until they arrive at a destination that’s determined by the visitor’s operating system, browser type, and geographic location.”

Traffic Exchange Networks

Using techniques like search engine optimization, links to the websites appear at the top of search results when individuals search for pirated versions of a wide range of software apps. The activities, considered to be the product of an underground marketplace for paid download services, allows entry-level cyber actors to set up and tailor their campaigns based on geographical targeting.

Traffic exchanges, as the distribution infrastructure is also called, typically require a Bitcoin payment before affiliates can create accounts on the service and begin distributing installers, with sites like InstallBest offering advice on “best practices,” such as recommending against using Cloudflare-based hosts for downloaders, as well as using URLs within Discord’s CDN, Bitbucket, or other cloud platforms.

Traffic Exchange Networks
Traffic Exchange Networks

On top of that, the researchers also found some of the services that act as “go-betweens” to established malvertising networks that pay website publishers for…