Malware that hacks passwords, credit cards, and crypto wallets are being marketed via search results for a pirated edition of the CCleaner Pro Windows optimization software. This new malware distribution effort, called “FakeCrack,” was uncovered by Avast analysts, who say their customer telemetry data shows an average of 10,000 infection attempts every day. France, Indonesia, Brazil, and India account for most of the victims.
This campaign’s malware is a formidable data thief that can gather personal information and bitcoin assets while also routing internet traffic via data-snatching proxies. To get more individuals to download tainted executables, the threat actors use Black Hat SEO strategies to position their malware-distribution websites high in Google Search results.
Avast discovered a cracked variant of CCleaner Professional, a famous Windows system cleaner and performance optimizer that many users still consider a “must-have” program. The infected search results lead the victim to a series of websites that eventually lead to a landing page with a ZIP file download option. A reputable file hosting site, such as filesend.jp or mediafire.com, is frequently used to host this landing page.
The ZIP is password-protected with a weak PIN like “1234”, which is just there to keep anti-virus software from detecting the payload. Typically, the program within the package is titled “setup.exe” or “cracksetup.exe,” although Avast has spotted eight distinct executables used in this operation. Malware victims are deceived into installing efforts to steal information held in online browsers, such as account passwords, saved credit cards, and cryptocurrency wallet details.
It also looks for copied wallet addresses on the clipboard and substitutes them with ones controlled by the malware’s controllers to reroute funds. This clipboard hijacking tool works with Bitcoin, Ethereum, Cardano, Terra, Nano, Ronin, and Bitcoin Cash addresses, among others. The malware also employs proxies to steal cryptocurrency market account credentials using a man-in-the-middle attack that is difficult to detect or recognize by the victim.
“Attackers were able to set up an IP address to download a malicious Proxy Auto-Configuration script (PAC),” explains Avast in the report. “By setting this IP address in the system, every time the victim accesses any of the listed domains, the traffic is redirected to a proxy server under the attacker’s control.”
A new registry entry in “HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings” adds this proxying technique. It can be turned off by going to Network & internet in Windows Settings and turning off the “Use a proxy server” option. Since the campaign is already well-established and infection rates are high, avoid downloading cracked software from any source, even if the download sites appear to be highly ranked on Google.
