Pirated 3DMark benchmark tool delivering info-stealer malware – BleepingComputer

Pirate flag

Cybersecurity researchers have discovered multiple ongoing malware distribution campaigns that target internet users who seek to download copies of pirated software.

The campaign uses SEO poisoning and malvertising to push malicious shareware sites high in Google Search results, promoting fake software along with cracks and product activation key generators.

Malicious high-ranking search results
Malicious high-ranking search results (Zscaler)

The software used for luring victims in the ongoing campaigns, according to Zscaler that discovered them, includes the following:

  • Adobe Acrobat Pro
  • 3DMark
  • 3DVista Virtual Tour Pro
  • 7-Data Recovery Suite
  • MAGIX Sound Force Pro
  • Wondershare Dr. Fone

In many cases, the malicious executables masquerading as the promised software installers are hosted on file hosting services, so the landing pages redirect victims to other services to download the files.

Redirections diagram
Website redirections diagram (Zscaler)

Some of the fake shareware websites mentioned in the IoC section of Zscaler’s report:

  • xproductkey[.]com
  • allcracks[.]org
  • prolicensekeys[.]com
  • deepprostore[.]com
  • steamunlocked[.]one
  • getmacos[.]org

The redirection sites which deliver the malicious files have less fancy names and stand on “xyz” and “cfd” top-level domains.

The downloaded files are archives containing a 1.3MB password-protected ZIP to evade AV scans and a TXT file with the password.

The size of the unpacked ZIP balloons to 600MB using byte padding is a common anti-analysis practice followed by many malware authors.

The contained executable is a malware loader that spawns an encoded PowerShell command that launches a Windows command prompt (cmd.exe) after a 10 seconds timeout to evade sandbox analysis.

The cmd.exe process downloads a JPG file that is, in reality, a DLL file with its contents arranged in reverse.

Fetching the malicious image file
Fetching the malicious image file (Zscaler)

The loader re-arranges the contents in the correct order, derives the final DLL, a RedLine Stealer payload, and loads it into the current thread.

Redline stealer is a powerful info-stealing malware that can siphon passwords stored in web browsers, credit card data, bookmarks, cookies, cryptocurrency files and wallets, VPN credentials, computer details, and more.

In some cases, Zscaler noticed that the threat actors dropped copies of the ‘RecordBreaker’ stealer malware, packed with the Themida tool for obfuscation and detection avoidance.

The information targeted by that RecordBreaker is similarly extensive, so the final payload doesn’t make much difference for the victims.

RecordBreaker stealing browser cookies
RecordBreaker stealing browser cookies (Zscaler)

To stay safe from either, avoid downloading pirated software, product activators, cracks, serial key generators, and anything that promises access to paid software without paying.

Even if the sites that make these false promises appear high on search results, it doesn’t make them legitimate or trustworthy.

In June, we reported on a similar ‘Black Hat SEO’ campaign spreading poisoned pirated copies of CCleaner Pro containing info-stealing malware.

Leave a Reply