Researchers from Sophos have identified a new malware campaign by Raccoon stealer served the malware in bundle on various site as “dropper as a service”. The bundle was included with variants of malware family such as clickfraud bots, information stealers and ransomware samples for infecting the victims.

Sophos team has also observed that these malware networks were using search engine optimization technique to put up the malicious webpage on the first page of search engine which is requesting for cracked version of various software products.

Most of the bait pages we found are hosted on WordPress blog platforms. Download buttons on these pages link to another host, passing a set of parameters that includes the package name and affiliate identifier codes to an application that then redirects the browser session to yet another intermediary site, before finally arriving at a destination.”

Some clicks on bait pages are directed to a download site that hosts a packaged archive containing malware. Others are steered to browser plugins or applications that fall in a potentially unwanted grey area. Visitors who arrive on these sites are prompted to allow notifications; If they allow this to happen, the websites repeatedly issue false malware alerts. If the users click the alerts, they’re directed through a series of websites until they arrive at a destination that’s determined by the visitor’s operating system, browser type, and geographic location.” reads the blogpost.

Traffic Exchange Networks

On one instance, 15 bait blogs connected to infrastructure we tied to the InstallUSD install-as-a-service network. These sites had download buttons driven by a remote JavaScript that redirected visitors through a series of sites, including trackers that checked campaign-related information and generated redirects based on verification of the inbound link and assessment of the operating system and browser information from the User-Agent headers sent with each request. The tracker sites, and many of the bait blogs, were behind Cloudflare’s CDN, and almost all were registered through Namecheap.

During the analysis , the team has also observed that the downloads item has also had various PUP programs, malwares, installers of STOP ransomware, Glupteba backdoor and different types of cryptocurrency miners. Interestingly, Sophos researchers also observed that malware disguised with licensing bypassed version their own product named “HitmanPro” being served up via downloads to victims.

CyberWorkx news readers can find the IOC’s for these malware here.

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s