Researchers from Sophos have identified a new malware campaign by Raccoon stealer served the malware in bundle on various site as “dropper as a service”. The bundle was included with variants of malware family such as clickfraud bots, information stealers and ransomware samples for infecting the victims.
Sophos team has also observed that these malware networks were using search engine optimization technique to put up the malicious webpage on the first page of search engine which is requesting for cracked version of various software products.
“Most of the bait pages we found are hosted on WordPress blog platforms. Download buttons on these pages link to another host, passing a set of parameters that includes the package name and affiliate identifier codes to an application that then redirects the browser session to yet another intermediary site, before finally arriving at a destination.”
“Some clicks on bait pages are directed to a download site that hosts a packaged archive containing malware. Others are steered to browser plugins or applications that fall in a potentially unwanted grey area. Visitors who arrive on these sites are prompted to allow notifications; If they allow this to happen, the websites repeatedly issue false malware alerts. If the users click the alerts, they’re directed through a series of websites until they arrive at a destination that’s determined by the visitor’s operating system, browser type, and geographic location.” reads the blogpost.
During the analysis , the team has also observed that the downloads item has also had various PUP programs, malwares, installers of STOP ransomware, Glupteba backdoor and different types of cryptocurrency miners. Interestingly, Sophos researchers also observed that malware disguised with licensing bypassed version their own product named “HitmanPro” being served up via downloads to victims.
CyberWorkx news readers can find the IOC’s for these malware here.