![]() The downloads contained a variety of potentially unwanted applications and malware. If the users click the alerts, they’re directed through a series of websites until they arrive at a destination that’s determined by the visitor’s operating system, browser type, and geographic location. Visitors who arrive on these sites are prompted to allow notifications If they allow this to happen, the websites repeatedly issue false malware alerts. Others are steered to browser plugins or applications that fall in a potentially unwanted grey area. Some clicks on bait pages are directed to a download site that hosts a packaged archive containing malware. Download buttons on these pages link to another host, passing a set of parameters that includes the package name and affiliate identifier codes to an application that then redirects the browser session to yet another intermediary site, before finally arriving at a destination. Most of the bait pages we found are hosted on WordPress blog platforms. So we began to investigate the networks behind the sites themselves. We found a variety of information stealers, clickfraud bots, and other malware delivered through the sites, including Conti and STOP ransomware. All of these networks use search engine optimization to put a “bait” webpage on the first page of results for search engine queries seeking “crack” versions of a variety of software products.Īs we researched the Raccoon Stealer campaign, we discovered multiple other cases where some of these sites had been tied to other malware campaigns. We discovered multiple networks using the same basic tactics in our research. ![]() Multiple front-end websites targeting individuals seeking “cracked” versions of popular consumer and enterprise software packages link into a network of domains used to redirect the victim to the payload designed for their platform. ![]() While the Raccoon Stealer campaign we tracked on these sites took place between January and April, 2021, we continue to see malware and other malicious content distributed through the same network of sites. These malware included an assortment of clickfraud bots, other information stealers, and even ransomware. During our recent investigation into an ongoing Raccoon Stealer (an information stealing malware) campaign, we found that the malware was being distributed by a network of websites acting as a “dropper as a service,” serving up a variety of other malware packages-often bundling multiple unrelated malware together in a single dropper. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |