Beware of Fake CCleaner Search Results that Deliver Information-stealing Malware

The recently emerged ‘FakeCrack’ campaign has been disclosed by the researchers of Avast. The malware campaign tempts users into downloading fake cracked software.

Researchers say the bad actors behind the campaign have utilized a vast infrastructure to deliver malware and steal personal and other sensitive data, including crypto assets.

The Black SEO Mechanism

The infection stems from dubious sites that allegedly offer cracked versions of well-known and used software, such as games, office programs, or programs for downloading multimedia content. These sites are placed in the highest positions in search engine results.

Google Search Results Highlighting Malicious Sites

The majority of the results on the first page highlighted in the above image, lead to compromised crack sites and the user ends up downloading malware instead of the crack. This is called the Black SEO mechanism exploiting search engine indexing techniques.

Upon clicking the link, the user is redirected through a network of domains to the landing page. These domains have a similar pattern and are registered on Cloudflare using a few name servers.

Avast researchers say “Overall, Avast has protected roughly 10,000 users from being infected daily who are located primarily in Brazil, India, Indonesia, and France.”

The search results take the victim through various websites that finally display a landing page that contains a malware ZIP file. For instance the Japanese file-sharing filesend.jp or mediafire.com. Researchers say the ZIP is password-protected using a weak PIN like “1234,” which is merely there to protect the payload from anti-virus detection.

Landing Page

This ZIP contains a single executable file, normally named setup.exe or cracksetup.exe. Researchers collected eight different executables that were distributed by this campaign.

Information Stealing Malware

The malicious code gathers sensitive information from the PC, including passwords or credit card data from the browser and wallets’ credentials. Then the data are uploaded to the C2 servers in encrypted ZIP format, the researchers noticed that the ZIP file encryption key is hardcoded into the binary, which means that it could be easy to access it.

Researchers mention that the clipboard hijacking feature works with a variety of cryptocurrency addresses, including those for Bitcoin, Ethereum, Cardano, Terra, Nano, Ronin, and Bitcoin Cash addresses. The malware also uses proxies to steal cryptocurrency market account credentials using a man-in-the-middle attack that’s very tough for the victim to identify.

Therefore, if you suspect your computer has been compromised, check the proxy settings and remove malicious settings using the following procedure.

  • Remove AutoConfigURL registry key in the HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings

Victims can disable it by navigating to Network & internet on Windows Settings and switching the “Use a proxy server” option to ‘off’.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and their…

2 hours ago

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS environments…

14 hours ago

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling them…

18 hours ago

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases from…

18 hours ago

Tor Network Suffers IP Spoofing Attack Via Non-Exit Relays

In late October 2024, a coordinated IP spoofing attack targeted the Tor network, prompting abuse…

19 hours ago

Metasploit Framework Released with New Features

The Metasploit Framework, a widely used open-source penetration testing tool maintained by Rapid7, has introduced…

21 hours ago