It’s no secret that scammers are constantly trying to trick people into downloading malicious content from pirate sites.
These files are generally easy to spot for seasoned pirates and they are often swiftly removed from well-moderated sites. However, for casual downloaders, malware can be a serious problem.
Novices are often directed to dubious portals where these threats are harder to avoid. That can lead to disastrous consequences. This isn’t limited to annoying popups either, it can result in financial trouble as well.
Bitdefender Warns Against Malicious Cracks
This week, cybersecurity company Bitdefender reports that hackers are actively using software cracks to empty people’s cryptocurrency wallets. The company discovered a series of malicious KMS activators for Office and Windows, as well as Adobe Photoshop cracks. These can completely compromise the victim’s computer.
If these malicious cracks are executed, they drop a copy of the legitimate data transfer software “ncat.exe” that can be controlled by the hackers. This tool is used to transfer valuable data from the victim’s computer through a TOR proxy.
Torrent Clients Exfiltrate Crypto Wallets
Interestingly, Bitdefender reports that the attackers also use BitTorrent clients to exfiltrate data. Bitdefender’s director of threat research, Bogdan Botezatu, informs us that they discovered instances of the Transmission client that shared stolen data via torrents.
“Our monitoring shows that they are using the Transmission client to seed the information they want to exfiltrate. They create torrents with the data to be stolen, then use the client to seed that information through the network,” Botezatu informs TorrentFreak.
The torrent clients are not essential but Bitdefender believes that they may be used to obfuscate the malicious traffic.
“While the attackers can directly exfiltrate data by simply zipping the files and sending them across the network, the BitTorrent avenue might help them bypass potential firewalls and blend the traffic into the peer-to-peer noise,” Botezatu adds.
Hackers Install Transmission
It is worth noting that this doesn’t mean that Transmission users are somehow more vulnerable. The research found that the hackers actively install the client, so it can happen on any system.
With the backdoor, the hackers have full access to the victims’ computers. They use this to steal all sorts of valuable data, including Monero cryptocurrency wallets, if those are available.
The cybersecurity company believes that the malware isn’t completely relying on automated requests. Instead, it is likely being controlled by a human operator who can change strategy based on individual situations.
Firefox Credentials and More
In addition to stealing cryptocurrency wallets, the security researchers also found that the hackers are going after Firefox browser profile data, which includes browsing history, credentials, and session cookies. This can then be exploited to do more damage.
These are just a few examples of what can be done. Since the attackers have pretty much full access the victims are vulnerable to all sorts of threats. This may vary based on what opportunities the hackers see.
“This list of actions is non-exhaustive, as attackers have complete control of the system and can adapt campaigns based on their current interests,” Bitdefender warns.
Who’s at Risk?
As we mentioned earlier, these types of malware-ridden cracks mostly affect people who download files from sites that have little or no moderation. This is confirmed by Bitdefender as well.
“These cracks are usually hosted on direct-download websites rather than on torrent portals, as the latter have a community that downvotes and flags malicious uploads,” Botezatu says.
At the moment the malware-loaded cracks are most popular in North America and India. More technical details about the files and processes involved can be found in Bitdefender’s full writeup.