Threat Research

Crypto stealing campaign spread via fake cracked software

Securonix

The FakeCrack campaign lures users with fake cracked software and delivers a crypto-stealing malware that collects browser data, crypto wallets, and other sensitive information. It relies on a broad delivery infrastructure, password-protected ZIP payloads, and proxy-based exfiltration to stay under the radar.
#FakeCrack #Binance #Huobi #OKX

Keypoints

  • The campaign targets users seeking cracked software and disguises the payload as legitimate downloads.
  • Delivery relies on Black SEO to push compromised crack sites to the top search results.
  • Users are redirected through a network of domains (often Cloudflare-based) to a landing page linking to a malware ZIP file.
  • The downloaded ZIP is password-protected (commonly “1234”), masking the actual malware executable.
  • Eight sample executables function as stealers, focusing on browser data and crypto-wallet information with encrypted ZIP exfiltration to C2s.
  • Two persistence techniques are used: a clipboard watcher that swaps wallet addresses and a proxy configuration to capture crypto-transaction traffic.
  • Indicators of compromise include domain patterns (freefilesXX.xyz, …cfd), several IPs, file hashes, and specific proxy/BTC wallet-related artifacts.

MITRE Techniques

  • [T1189] Drive-by Compromise – The infection chain starts on dubious sites that supposedly offer cracked versions of well-known and used software, such as games, office programs, or programs for downloading multimedia content. ‘The infection chain starts on dubious sites that supposedly offer cracked versions of well-known and used software, such as games, office programs, or programs for downloading multimedia content.’
  • [T1027] Obfuscated/Compressed Files and Information – ZIP files are encrypted with a simple password to evade analysis. ‘This ZIP is encrypted with a simple password (usually 1234) which prevents the file from being analyzed by antivirus software.’
  • [T1204.002] User Execution: Malicious File – The landing page leads to a malware ZIP file that users are instructed to download/run. ‘The landing page has different visual forms. All of them offer a link to a legitimate file share platform, which contains a malware ZIP file.’
  • [T1555.003] Credentials from Web Browsers – The stealer collects browser data including passwords and private data from crypto extensions. ‘The encrypted ZIP contains all information mentioned previously, like the information about the system, installed software, screenshot and data collected from the browser including passwords or private data of crypto extensions.’
  • [T1115] Clipboard Data – The clipboard changer monitors and alters clipboard content to hijack wallet addresses. ‘periodically checks the content of the clipboard. When it detects the presence of the crypto wallet address in the clipboard, it changes the value of the clipboard to the wallet address under the attacker’s control.’
  • [T1090] Proxy – The campaign uses a Proxy Auto-Config script to redirect traffic to attacker-controlled proxies. ‘set up an IP address to download a malicious Proxy Auto-Configuration script (PAC). By setting this IP address in the system, every time the victim accesses any of the listed domains, the traffic is redirected to a proxy server under the attacker’s control.’
  • [T1041] Exfiltration Over C2 Channel – Exfiltration of collected data occurs via encrypted ZIP to C2 servers. ‘The data has been exfiltrated in encrypted ZIP format to C2 servers.’

Indicators of Compromise

  • [Domain] Delivery infrastructure domains – goes12by[.]cfd, baed92all[.]cfd, aeddkiu6745q[.]cfd, 14redirect[.]cfd
  • [Domain] Additional redirector/landing domains – lixn62ft[.]cfd, kohuy31ng[.]cfd, wae23iku[.]cfd, yhf78aq[.]cfd
  • [Domain] File-sharing platforms used in landing pages – filesend.jp, mediafire.com
  • [Domain] Freefile domains used in infrastructure – freefiles34[.]xyz, freefiles33[.]xyz
  • [File] Malware ZIP filenames observed – setup.exe, cracksetup.exe
  • [SHA-256] Malware samples – bcb1c06505c8df8cf508e834be72a8b6adf67668fcf7076cd058b37cf7fc8aaf, c283a387af09f56ba55d92a796edcfa60678e853b384f755313bc6f5086be4ee, ac47ed991025f58745a3ca217b2091e0a54cf2a99ddb0c98988ec7e5de8eac6a
  • [IP Address] Stealer C2 and exfiltration servers – 185[.]250.148.76, 45[.]135.134.211
  • [IP Address] Additional C2/IPs – 194[.]180.174.180, 45[.]140.146.169, 37[.]221.67.219, 94[.]140.114.231
  • [SHA-256] Clipboard changer script – 97f1ae6502d0671f5ec9e28e41cba9e9beeffcc381aae299f45ec3fcc77cdd56
  • [IP] Malicious proxy server – 104[.]155.207.188
  • [SHA-256] Proxy-related artifact – e5286671048b1ef44a4665c091ad6a9d1f77d6982cf4550b3d2d3a9ef1e24bc7

Read more: https://blog.avast.com/fakecrack-campaign