Tainted CCleaner Pro Cracker spreads via Black Seo campaign

Threat actors spread info-stealing malware through the search results for a pirated copy of the CCleaner Pro Windows optimization program.

Researchers from Avast have uncovered a malware campaign, tracked as FakeCrack, spreading through the search results for a pirated copy of the CCleaner Pro Windows optimization program.

The researchers pointed out that operators behind the campaign used a large infrastructure to deliver an info-stealing malware and harvest sensitive data, including crypto assets, from the victims.

Avast revealed to have prevented the infection of roughly 10,000 users daily, most of them located in Brazil, India, Indonesia, and France.

The links provided by the Google queries point to a ZIP archive encrypted with a weak password, such as 1234, that contains a single executable file (i.e. setup.exe or cracksetup.exe).

“The landing page has different visual forms. All of them offer a link to a legitimate file share platform, which contains a malware ZIP file. The file sharing services abused in this campaign include, for example, the Japanese file sharing filesend.jp or mediafire.com.” reads the analysis published by Avast.

The experts analyzed eight executables, all of them with info-stealing capabilities. The malicious code harvests sensitive info from the PC, including passwords or credit card data from the browser and wallets’ credentials. Then the data are uploaded to the C2 in encrypted ZIP format, the researchers noticed that the ZIP file encryption key is hardcoded into the binary, which means that it could be easy to access it.

The info-stealing malware also uses proxies to steal credentials and other sensitive data from some crypto marketplaces. Threat actors set up an IP address to download a malicious Proxy Auto-Configuration script (PAC), then set up this IP address in the system and every time the victim accesses one of the listed domains, the traffic is redirected to a proxy server. With this trick, the attackers are able to carry out man-in-the-middle attacks.

“This type of attack is quite unusual in the context of the crypto stealing activity; however, it is very easy to hide it from the user, and the attacker can observe the victim’s traffic at given domains for quite a long time without being noticed.” concludes the report.

In order to remove the proxy settings, users have to manually perform the following actions:

• Remove AutoConfigURL registry key in the HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
  
• Alternatively, using GUI:
  • Click on the Start Menu.
  • Type Settings and hit enter.
  • Go to Network & Internet -> Proxy.
  • Delete Script Address and click on the Save button.
  • Disable the “Use a proxy server” option.

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, CCleaner)

[adrotate banner=”5″]

[adrotate banner=”13″]