In continuation to our last post where we introduced our readers to Dropper-as-a-service, in this post, we elaborate on how it works through an active campaign.
An ongoing malevolent digital campaign has been exploiting a network of websites to download a package of malware payloads on victims’ PCs using dropper-as-a-service. It is aimed towards users looking for cracked versions of business and consumer software.
What Transpired?
The recent campaign was uncovered while examining an ongoing Raccoon Stealer campaign, according to researchers. Click fraud bots, information stealers, and ransomware were among the malware that was dropped.
- The majority of the attacks make use of WordPress-hosted bait pages. These pages contain software package download links that, when clicked, take the visitor to another website.
- Raccoon Stealer installers, Glupteba backdoor, Conti and Stop ransomware, and bitcoin miners masquerading as antivirus solutions are all distributed using the website.
- These websites encourage visitors to accept notifications, which would result in a slew of fake malware alerts. The user is subsequently forwarded to a number of different websites.
- The visitor gets redirected to several websites until he or she reaches the desired site. The visitor’s browser type, operating system, and geographic location are used to determine the landing site.
Some firms have been seen charging as little as $2 for 1,000 malware installs through droppers. Wannabe cyber actors can personalize their campaigns by using these services.
How are the users lured?
When someone looks for pirated software apps, the attackers utilize SEO tactics to appear at the top of the search results.
These types of operations are most commonly seen as paid download services on the underground market.
- Furthermore, traffic exchanges (or distribution infrastructure) are utilized. Before partners can register accounts and start spreading installers with InstallBest sites that also give guidance, such businesses require a Bitcoin payment.
- A recommendation against using Cloudflare-based sites for downloaders, as well as using URLs within Discord’s CDN, Bitbucket, or other platforms, is included in the guidance.
- Furthermore, certain providers (such as InstallUSD) do not have their own malware delivery networks. Instead, they function as middlemen, arranging for malvertising networks to compensate site owners for visitors.
Dropper-as-a-service allows any amateur attacker with money to use this service to personalize their attack campaign. It appears that cybercriminals are becoming more sophisticated, and they are increasingly employing warez websites as an infection vector. As a result, security agencies should keep a watch on such nascent criminal enterprises and take proper countermeasures.
To read more, please check eScan Blog
