Bad Counterfeits: Legitimate Software Being Served with Adware
Attackers are always searching for new ways to exploit human behavior in order to get users to do what they want. Security researchers recently discovered almost thirty websitesserving legitimate software bundled with adware. These website clones include popular software packages 7Zip, CloneZilla, and Thunderbird and are hosted on French and Spanish top level domains (TLDs) .fr and .es, respectively. The purpose of these websites is to trick users into downloading their software package with the bundled adware, rather than go to the legitimate vendor’s website to download a clean version. Adware proliferators are often paid a nominal amount for each successful install, so it is in their interest to get as many people to install the software as possible to maximize revenue.
Legitimate KeyPass Website
Cloned KeyPass Website serving an adware-laced version of KeyPass
I recently wrote about a state-sponsored attack campaign where legitimate versions of software were being replaced with spyware-laden versions with the help of middleboxes and local Internet Service Providers. While the clones of legitimate websites in this case is much less sophisticated, it could still potentially achieve similar results. Tricking a user into installing something on their machine is one of the most desired attack behaviors, as it gives attackers virtually limitless power when installing a Remote Access Trojan (RAT). The infected versions of the cloned software include the fully functional version of that software package, with an extra installer that gives the user an option to install some “optional” software such as AVG anti-virus or a search bar. The cloned websites are also served over HTTPS with valid and trusted SSL Certificates issued by Let’s Encrypt, which further legitimizes the cloned site since users are taught to trust “secure” websites. Even if users take the extra step to verify that the downloaded file matches the known good MD5 hash from the website, that only guarantees that the file was not altered in transit, not that the file was malicious to begin with. While this campaign is barely malicious serving up Potentially Unwanted Applications (PUAs), the potential for abuse is significant.
Thanks to WHOIS records, thought to be weakened by the latest GDPR regulations, it was determined that all of these cloned websites are registered by a single e-mail address,indicating that they are all likely affiliated.
Users cannot just trust the website they download software from. A network security solution that scans files before they are downloaded will help prevent known malicious file downloads. Security controls that block the downloading of executable files also ensures users get known-good copies of software from their trusted IT department. Taking the extra step of uploading the file to VirusTotal will help determine which AV vendors have flagged a file as malicious. Lastly, a cloud sandbox will be the last line of defense to help determine if a file is benign or malicious before a user is allowed to download it.
At the time of writing, the following websites appear to be clones of legitimate websites: