- Malware disguised as deciphered software infected millions of devices through manipulated search results
- Affiliates in a payment network per installation converted piracy into a global cyber crimes business
- The attackers accidentally exposed their operation after being infected by the same malware
Pakistani headquarters have been linked to an operation that distributed infostaler malware disguised as cracked software, accumulating millions of dollars for five years.
Cloudsek reports claim that the network, mainly tracked to Bahawalpur and Faisalabad, worked as a multiple level sales model, except that the product was malicious code.
The group attracted the victims through the poisoning of the optimization of search engines and the publications of the forum advertised pirated programs such as Adobe After Effects and Internet download manager.
Disposable domains masked the real source of malware
These lists redirected users to malicious WordPress sites, where malware such as Lumma Stealer, goal Staaler and Amos was integrated into password protected files.
The financial backbone of the operation was a pair of installation payment networks (PPI): Instalbank and Spoxmedia, then renamed as installstersa.
Affiliates were paid for each installation or successful discharge of malware, with more than 5,200 members operating at least 3,500 sites.
Traced revenues exceed $ 4 million, and payments were made mainly through Payoneer and Bitcoin.
The scale was large, with records that show 449 million clicks and more than 1.88 million facilities during the documented period.
The campaign took a turn in which the attackers themselves were infected by malware of inforte infants, exposing credentials, communications and access of backend to their own PPI systems.
This escape revealed strong indications of family participation, with recurring surnames and shared accounts that appear throughout the infrastructure.
The group changed the strategy over time, going from the monitoring based on the installation in 2020 to metrics centered on the discharge in later years, a change that may have been aimed at evading detection or adapting to new monetization methods.
The long -term sites proved to be the most profitable, with a small fraction of domains that generate most facilities and income.
Disposable domains with short useful life were also used to distance the source of infection of the final delivery of the payload.
This highlights the risks of the pirated software, which often serves as the initial delivery method for said malware.
How to stay safe
- Avoid downloading cracked or pirated software, since it is a common method to deliver infant infant malware
- Use legitimate software sources, as official websites of developers and confidence distribution platforms.
- Keep updated security suites to detect and block known threats before running.
- Configure a firewall to prevent malicious programs from communicating with remote servers.
- Enable multifactor authentication so that passwords stolen by themselves cannot grant access to the account.
- Monitor the bank, email and online accounts regularly to obtain identity theft signs.
- Make a backup of important data to ensure off -line or cloud storage to allow recovery after an attack.
- Stay informed about emerging cyber threats and suspicious domain activity.
- Be careful with offers that provide expensive software for free, since they often have hidden security risks.
