How Cracks and Installers Bring Malware to Your Device

Upon accessing the link, a separate post on YouTube opens, revealing the download link for the fake installer.

In the following example, it leads to a download of the file from the Mediafire file hosting site:

In another case, the threat was uploaded to another file-hosting site called Mega.nz.

It’s clear that the threat utilizes known file hosting services as another layer to obscure its download further and evade detection.

In the cases we will discuss in this blog, we observed that these threats are often distributed as fake installers or cracked software, which victims inadvertently encounter while searching for them on search engines.

In the sample below, specific keywords trigger search results for these entries.

The third item in the search results (refer to screenshot above) comes from OpenSea (an NFT marketplace), which is unusual because it hosted a downloadable file. The entry contains a shortened link that redirects to the actual link. One assumption is that they use shortened links to prevent scraping sites from accessing the download link.

The following link will prompt you for the actual download link and the zip file’s password. Password-protecting the files can help prevent sandbox analysis of the initial file upon arrival, which can be a quick win for an adversary.

The fourth and last entry in the search results (refer to the search results screenshot above) came from SoundCloud, a music-sharing platform that hosted the download link with a corresponding description. In this case, the download link was shortened using Twitter.

The same user also posted additional entries that include means to download a specific file.

Content from another entry made by the same user.

Similar to the first case, another site displays the download link and password.

In one of our download links, we discovered evidence of other entries they are attempting to fake, as shown in VirusTotal (VT).

Infection analysis as seen by Managed XDR (post download)

In the next section, we will discuss instances where the download was successful and the content was executed. This case sample highlights the activities observed on the host.

Case 1 

One observation about the unpacked file is that its size is 900 MB. This large file size helps defense evasion and allows it to bypass sandbox analysis to appear more legitimate as an installer. Moreover, it is restricted from submission in VT.

The infection sequence is triggered upon executing the .exe file contained within the zip file.

 A threat has been detected involving the execution of batch files. The content of the batch file was sourced and, while different from the Managed XDR case, is still functionally similar.

The batch file contains obfuscated entries.

The first cleanup involves removing garbage entries.

The next step is to replace the variables, resulting in a clearer script.

According to the batch file, it builds the AutoIt script by combining the multiple created files and executes it. Upon execution, we observed that it dropped several additional files.

Processes may be injected with its code, and a new legitimate binary is sometimes introduced for process injection.

Collecting and preparing sensitive data from browser environments for credential access was completed through a copy file operation.

The process introduced by threat is also seen to establish connections to multiple command and control (C&C) addresses.

Besides accessing its C&C, our investigation observed the threat committing a series of queries related to Domain Generation Algorithm (DGA) domains.

Case 2

In this second case, the infection started when a user downloaded a compressed file from a known file hosting site. Once downloaded, the user unpacks the file, which would require a password, and executes the installer. Upon execution, it proceeds to do a series of suspicious events, such as spawning a legitimate process and injecting its code into it. The threat also introduces a known scripting tool, AutoIt, to further obfuscate its execution, and later, it connects to its C&C to download and execute additional malware, typically different variants of infostealer.

A snippet of the content of the zip file shows that, at a quick glance, it is just a standard application installer.

Setup.exe is a version of rustdesk.exe, an open-source remote desktop access software identified on VirusTotal.

The zip file contains a trojanized file for rustdesk.exe, where one of the DLLs is tampered with. For this specific sample, the tampered DLL that was loaded by Setup.exe was flutter_gpu_texture_renderer_plugin.dll.

When the file is executed, it displays an error but is already running in the background.

In the background, the following events have already taken place.

Injecting malicious code into legitimate binaries, such as more.com, StrCmp.exe, SearchIndexer.exe, and explorer.exe, to evade detection by security defenses.

It drops additional files that are information stealers or malware from a different family.

Creates autorun registry entry and scheduled tasks to ensure ongoing persistence.

Injected processes were later observed, which initiated C&C communication.

Bundle of Stealers/Loaders

This time, it’s not just a single info stealer but an army of recent noisy ones. This is not new, as it was also observed before with raccoon stealers.

Observed stealers in the cases:

• LUMMASTEALER
• PRIVATELOADER
• MARSSTEALER
• AMADEY
• PENGUISH
• VIDAR

Recap of the different methods of defense evasion observed in the case:

• Utilization of large file size – a means to bypass sandbox capabilities
• A password-protected zip file hinders content scanning and can complicate investigations if the password is unavailable.
• The files are uploaded to known media-sharing sites, which most antivirus programs would only detect if the exact link is discovered before the download.
• In some cases, download links are shortened, preventing scraping from sites.
• The operation uses legitimate files and employs DLL sideloading or process injection to execute its payload.

How Managed XDR helps in the case of an info-stealer infection from fake installers

Defense-in-depth is an important strategy that organizations use to protect their environments. In situations where a threat might have evaded some of these defense layers, Managed XDR can detect these incidents in real time. It offers the necessary analysis and actions to effectively contain the threat.

• Threat hunting and human analyst augmented alerting – Some activities may not be captured by alerts or could generate low-severity alerts, which Trend Vision One users might overlook. Threat hunting proactively searches for known tactics, techniques, and procedures (TTPs) or emerging threats, ensuring that alerts are issued. Additionally, Managed Detection and Response (MDR) analysts can determine whether certain detections require further attention from the customer, reducing the burden on Trend Vision One users to check every alert.
• Understanding the context of the alert – When a threat activity generates a detection, further correlation is necessary to provide context and capture the complete narrative of the events. Upon linking our findings to the initial alert, it becomes evident that most of the findings in the draft are not included in a single alert or detection. Additionally, some instances lack any related detection and were only connected through further investigation using the search application. As illustrated in the case findings shared earlier, these insights are obtained through the MXDR analyst’s deeper investigation of the initial triggers, which may include threat hunting or alerts generated from a workbench.
• Implementing response actions – As the fake installer infection progresses, MXDR analysts can initiate response actions to contain the threat on behalf of the customer. In the case we are dealing with, we have isolated the affected machines to prevent further spread. Indicators of Compromise (IOCs) have been added to the Suspicions Objects (SO) list to block any additional execution, and the suspicious files have been submitted to the analysis team for accurate detection.

Conclusion

Threat actors continue to use social engineering tactics to target its victims and apply different methods to avoid security defenses, including: DLL sideloading, using large installer files, password-protected ZIP files, process injection into legitimate processes, connections to legitimate websites, and creating copies of files and renaming them to appear benign.

It is important to stay updated on current threats and to remain vigilant regarding detection and alert systems. Visibility is important because solely relying on detection can result in many malicious activities going unnoticed. Organizations should consider the following to stay ahead of these threats:

• Implement a multi-layered defense approach for in-depth defense.
• Provide user education.
• Establish an incident response plan.
• Engage in threat hunting.
• Use a Managed Security Service Provider (MSSP).

Organizations can take advantage of Trend Vision One™ – Endpoint Security for prevention, detection, and response for user endpoints, servers, cloud workloads, and data centers.

Managed XDR offers a 24/7 managed detection and response (MDR) for email, endpoint, server, cloud workloads, and networks from our world-class MDR team

Trend Vision One Threat Intelligence

To stay ahead of evolving threats, Trend Micro customers can also access a range of Intelligence Reports and Threat Insights within Trend Vision One. Threat Insights helps customers stay ahead of cyber threats before they happen and be better prepared for emerging threats. It offers comprehensive information on threat actors, their malicious activities, and the techniques they use. By leveraging this intelligence, customers can take proactive steps to protect their environments, mitigate risks, and respond effectively to threats.

Trend Vision One Intelligence Reports App [IOC Sweeping]

• How Cracks and Installers Bring Malware to Your Device

Trend Vision One Threat Insights App

Hunting Queries

Trend Vision One Search App

Trend Vision One customers can use the Search App to match or hunt the malicious indicators mentioned in this blog post with data in their environment.   

Potential autoit script construction

parentCmd:(“*.exe”) AND processCmd:(“*/c move*.cmd*&*.cmd”) AND objectCmd:(“*/c copy /b ..\*+ ..\*”)

More hunting queries are available for Trend Vision One customers with Threat Insights Entitlement enabled.

Indicators of Compromise (IoC)

Download the full list of IOCs here.