Here's another excellent reason not to pirate your software

News
By
published

A game crack can come with an extra infostealer, experts warn

Fingers typing on a keyboard.
(Image credit: Pixabay)

Threat actors are masking the CryptBot malware with cracks for new games and pro-level software.

Cybersecurity researchers from Ahn Lab found a new campaign to distribute CryptBot - an infostealer capable of exfiltrating saved browser passwords, cookies, browser history, data from crypto wallets, credit card information, and files, from compromised endpoints

The campaign revolves around creating multiple websites promoting cracks for computer games and professional-grade software. These websites and landing pages are properly optimized for search engines, ranking quite high on search engine result pages (SERP) for all the right terms. 

TechRadar needs you!

We're looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn't take more than 60 seconds of your time. Thank you for taking part.

>> Click here to start the survey in a new window <<

Lighter malware

What’s more, the attackers are using both custom domains, as well as AWS-hosted sites, and in some cases, are redirecting the visitors multiple times before landing them on the delivery page. That means that the landing page itself could be on a legitimate, but compromised site.

The malware itself has suffered a number of big changes, as well. The researchers are saying the program grew lighter, and lost a few features, in order to be better hidden and easier to distribute. 

Read more

> This nightmare incident shows why you really shouldn't store passwords in your browser

> Trickbot is no longer the world's leading malware threat

> Cybercriminals flood online forums with malicious Microsoft Excel files

That being said, the anti-sandbox routine has been removed, as well as the ability to take screenshots. The malware can no longer collect data on TXT files on the desktop, and no longer has the second C2 connection and exfiltration folder. The latest version of the malware only has the anti-VM CPU core count check, and a single info-stealing C2.

At the same time, the attackers seem to be “constantly” refreshing their C2, and the dropper sites, the researchers are saying.

"The code shows that when sending files, the method of manually adding the sent file data to the header was changed to the method that uses simple API. user-agent value when sending was also modified," the researchers said in a blog post.

"The previous version calls the function twice to send each to a different C2, but in the changed version, one C2 URL is hard-coded in the function."

The new variant also seems to be working properly on all Chrome versions, while the older ones only worked on Chrome 81 - 95.

Via: BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.