You may not care where you download software from, but malware does

Cyber Security

Why do people still download files from sketchy places and get compromised as a result?

One of the pieces of advice that security practitioners have been giving out for the past couple of decades, if not longer, is that you should only download software from reputable sites. As far as computer security advice goes, this seems like it should be fairly simple to practice.

But even when such advice is widely shared, people still download files from distinctly nonreputable places and get compromised as a result. I have been a reader of Neowin for over a couple of decades now, and a member of its forum for almost that long. But that is not the only place I participate online: for a little over three years, I have been volunteering my time to moderate a couple of Reddit’s forums (subreddits) that provide both general computing support as well as more specific advice on removing malware. In those subreddits, I have helped people over and over again as they attempted to recover from the fallout of compromised computers. Attacks these days are usually financially motivated, but there are other unanticipated consequences as well. I should state this is not something unique to Reddit’s users. These types of questions also come up in online chats on various Discord servers where I volunteer my time as well.

One thing I should point out is that both the Discord and Reddit services skew to a younger demographic than social media sites such as Twitter and Facebook. I also suspect they are younger than the average WeLiveSecurity reader. These people grew up digitally literate and have had access to advice and discussions about safe computing practices available since pre-school.

A breakdown in communications

Despite having the advantage of having grown up with computers and information on securing them, how is it that these people have fallen victim to certain patterns of attacks? And from the information security practitioner’s side, where exactly is the disconnect occurring between what we’re telling people to do (or not do, as the case may be), and what they are doing (or, again, not doing)?

Sometimes, people will openly admit that they knew better but just did a “dumb thing,” trusting the source of the software when they knew it was not trustworthy. Sometimes, though, it appeared trustworthy, but was not. And at other times, they had very clearly designated the source of the malware as trustworthy even when it was inherently untrustworthy. Let us take a look at the most common scenarios that lead to their computers being compromised:

  • They received a private message via Discord “from” an online friend asking them for feedback on a game the friend was writing. The “game” the online friend was writing was in a password-protected .ZIP file, which they had to download and extract with the password before running it. Unfortunately, the friend’s account had been compromised earlier, and the attacker was now using it to spread malicious software.
  • They used Google to search for a commercial software package they wanted to use but specified that they were looking for a free or a cracked version of it and downloaded it from a website in the search results. It is not always commercial software; even free or open-source programs have recently been targeted by malicious advertising (malvertising) campaigns using Google Ads.
  • Similarly, they searched YouTube for a video about how to download a free or cracked version of a commercial software package, and then went to the website mentioned in the video or listed in its comments to download it.
  • They torrented the software from a well-known site specializing in pirated software.
  • They torrented the software from a private tracker, Telegram channel, or Discord server in which they had been active for over a year.

I would point out that these are not the only means by which people were tricked into running malware.  WeLiveSecurity has reported on several notable cases recently that involved deceiving the user:

  • In one notable case, KryptoCibule, cryptocurrency-focused malware that targeted Czech and Slovak users, was spread through a popular local file sharing service, masquerading as pirated games or downloadable content (DLC) for them.In a second, unrelated case, Chinese-language speakers in Southeast and East Asia were targeted with poisoned Google search results for popular applications such as the Firefox web browser, and popular messaging apps Telegram and WhatsApp, to install trojanized versions containing the FatalRAT remote access trojan.

Do any of these scenarios seem similar to each other in any way? Despite the various means of receiving the file (seeking out versus being asked, using a search engine, video site or piracy site, etc.) they all have one thing in common: they exploited trust.

Safe(r) downloads

When security practitioners talk about downloading files only from reputable websites, it seems that we are often only doing half of the job of educating the public about them, or maybe even a little less, for that matter: we’ve done a far better job of telling people what kind of sites to go to (reputable ones, obviously) without explaining what makes a site safe to download from in the first place. So, without any fanfare, here is what makes a site reputable to download software from:

  • You should only download software direct from the author or publisher’s site, or a site expressly authorized by them.

And… that’s it! In today’s world of software, the publisher’s site could be a bit more flexible than what it historically has been. Yes, it could be a site with the same domain name as the publisher’s site, but it could also be that the files are located on GitHub, SourceForge, hosted on a content delivery network (CDN) operated by a third party, and so forth. That is still the publisher’s site, as it was explicitly uploaded by them. Sometimes, publishers provide additional links to additional download sites, too. This is done for a variety of reasons, such as to defray hosting costs, to provide faster downloads in different regions, to promote the software in other parts of the world, and so forth. These, too, are official download sites because they are specifically authorized by the author or publisher.

There are also sites and services that act as software repositories. SourceForge and GitHub are popular sites for hosting open-source projects. For shareware and trial versions of commercial software, there are numerous sites that specialize in listing their latest versions for downloading. These download sites function as curators for finding software in one place, which makes it easy to search and discover new software. In some instances, however, they also can have a darker side: Some of these sites place software wrappers around files downloaded from them that can prompt to install additional software besides the program you were looking for. These program bundlers may do things completely unrelated to the software they are attached to and may, in fact, install potentially unwanted applications (PUAs) on to your computer.

Other types of sites to be aware of are file locker services such as Box, Dropbox, and WeTransfer.  While these are all very legitimate file sharing services, they can be abused by a threat actor: people may assume that because the service is trusted, programs downloaded from them are safe.  Conversely, IT departments checking for the exfiltration of data may ignore uploads of files containing personal information and credentials because they are known to be legitimate services.

When it comes to search engines, interpreting their results can be tricky for the uninitiated, or people who are just plain impatient. While the goal of any search engine—whether it is Bing, DuckDuckGo, Google, Yahoo, or another— is to provide the best and most accurate results, their core businesses often revolve around advertising. This means that the results at the top of the page in the search engine results are often not the best and most accurate results, but paid advertising. Many people do not notice the difference between advertising and search engine results, and criminals will take advantage of this through malvertising campaigns where they buy advertising space to redirect people to websites used for phishing and other undesirable activities, and malware. In some instances, criminals may register a domain name using typosquatting or a similar-looking top-level domain to that of the software publisher in order to make their website address less noticeable at first glance, such as example.com versus examp1e.com (note how the letter “l” has been released by the number “1” in the second domain).

I will point out that there are many legitimate, safe places to go on the internet to download free and trial versions of software, because they link to the publisher’s own downloads. An example of this is Neowin, for whom the original version of this article was written. Neowin’s Software download section does not engage in any type of disingenuous behavior. All download links either go directly to the publisher’s own files or to their web page, making Neowin a reliable source for finding new software.  Another reputable site that links directly to software publishers’ downloads is MajorGeeks, which has been listing them on a near-daily basis for over two decades.

While direct downloading ensures that you get software from the company (or individual) that wrote it, that does not necessarily mean it is free of malware: there have been instances where malicious software was included in a software package, unintentionally or otherwise.  Likewise, if a software publisher bundles potentially unwanted applications or adware with their software, then you will still receive that with a direct download from their site.

Special consideration should be applied to the various application software stores run by operating system vendors, such as the Apple App Store, the Google Play store, Microsoft’s Windows App stores, and so forth. One might assume these sites to be reputable download sites, and for the most part they are exactly that, but there is no 100% guarantee:  Unscrupulous software authors have circumvented app stores’ vetting processes to distribute software that invade people’s privacy with spyware, display egregious advertisements with adware, and engage in other unwanted behaviors. These app stores do have the ability to de-list such software from their stores as well as remotely uninstall it from afflicted devices, which offers some remedy; however, this could be days or weeks (or more) after the software has been made available. Even if you only download apps from the official store, having security software on your device to protect it is a must.

Device manufacturers, retailers, and service providers may add their own app stores to devices; however, these may not have the ability to uninstall apps remotely.

About the malware involved

With all of that in mind, you are probably wondering exactly what the malware did on the affected computers. While there were different families of malware involved, each of which having its own set of actions and behaviors, there were two that basically stood out because they were repeat offenders, which generated many requests for assistance.

  • STOP/DJVU, detected by ESET as Win32/Filecoder.STOP, is a family of ransomware that seemed to heavily target students. While not all of those affected were targeted in the same fashion, several students reported that the ransomware appeared after pirating commercial VST plugins intended for school or personal projects while at university. This is despite the plugins having been downloaded from “high reputation” torrents shared by long-time users and having dozens or sometimes even hundreds of seeders for that particular magnet link.

  • Shortly after the software piracy occurred, the students found fairly standard ransomware notes on their desktop. What was unusual about the extortion notes was that instead of asking to be paid tens or hundreds of thousands of dollars, much lower amounts were asked for by the criminals — around US$1,000-1,200 (in cryptocurrency). But that’s not all: victims paying within the first 24-72 hours of notification were eligible for a 50% discount. While the amount being extorted seems very low compared to what criminals targeting businesses ask for, the lower amount may mean a greater likelihood of payment by the victim, especially when faced with such high-pressure tactics.It is possible that the STOP/DJVU ransomware is marketed as ransomware-as-a-service (RaaS), which means its developers lease it out to other criminals in exchange for payment and a share of the profits. Other criminals may be using it as well, but it appears that at least one group has found its sweet spot in targeting students.

And just in case you were wondering: I have never heard of anyone successfully decrypting their files after paying the ransom to the STOP/DJVU criminals. Your best bet at decrypting your files is to back them up in case a decryptor is ever released.

  • Redline Stealer, as the name implies, is a family of customizable information-stealing trojans that are detected by ESET as MSIL/Spy.RedLine and MSIL/Spy.Agent. Like the STOP/DJVU ransomware, it appears to be leased out as part of the Criminal software as a Service family of tools. While I have seen multiple reports of it being spread through Discord, since it is “sold” as a service offering, there are probably many criminal gangs distributing it in different fashions for a variety of purposes. In these instances, the victims received direct messages from compromised friends’ accounts asking them to run software that was delivered to them in a password-protected .ZIP file. The criminals even told the victims that if their antivirus software detected anything, that it was a false positive alarm and to ignore it.

As far as its functionality goes, Redline Stealer performs some fairly common activities for information-stealing malware, such as collecting information about the version of Windows the PC is running, username, and time zone. It also collects some information about the environment where it is running, such as display size, the processor, RAM, video card, and a list of programs and processes on the computer. This may be to help determine if it is running in an emulator, virtual machine, or a sandbox, which could be a warning sign to the malware that it is being monitored or reverse engineered. And like other programs of its ilk, it can search for files on the PC and upload them to a remote server (useful for stealing private keys and cryptocurrency wallets), as well as download files and run them.

But the primary function of an information stealer is to steal information, so with that mind, what exactly does the Redline Stealer go after? It steals credentials from many programs including Discord, FileZilla, Steam, Telegram, various VPN clients such as OpenVPN and ProtonVPN), as well as cookies and credentials from web browsers such as Google Chrome, Mozilla Firefox, and their derivatives. Since modern web browsers do not just store accounts and passwords, but credit card info as well, this can pose a significant threat.

Since this malware is used by different criminal gangs, each of them might focus on something slightly different. In these instances, though, the targets were most often Discord, Google, and Steam accounts. The compromised Discord accounts were used to spread the malware to friends. The Google accounts were used to access YouTube and inflate views for certain videos, as well as to upload videos advertising various fraudulent schemes, causing the account to be banned. The Steam accounts were checked for games that had in-game currencies or items which could be stolen and used or resold by the attacker. These might seem like odd choices given all the things which can be done with compromised accounts, but for teenagers, these might be the most valuable online assets they possess.

To summarize, here we have two different types of malware that are sold as services for use by other criminals. In these instances, those criminals seemed to target victims in their teens and early twenties. In one case, extorting victims for an amount proportional to what sort of funds they might have; in the other case, targeting their Discord, YouTube (Google), and online games (Steam). Given the victimology, one has to wonder whether these criminal gangs are composed of people in similar age ranges, and if so, chose specific targeting and enticement methods they know would be highly effective against their peers.

Where do we go from here?

Security practitioners advise people to keep their computer’s operating systems and applications up to date, to only use their latest versions, and to run security software from established vendors. And, for the most part: people do that, and it protects them from a wide variety of threats.

But when you start looking for sketchy sources to download from, things can take a turn for the worse. Security software does try to account for human behavior, but so do criminals who exploit concepts such as reputation and trust. When a close friend on Discord asks you to look at a program and warns that your antivirus software may incorrectly detect it as a threat, who are you going to believe, your security software or your friend? Programmatically responding to and defending against attacks on trust, which are essentially types of social engineering, can be difficult. In the type of scenarios explained here, it is user education and not computer code that may be the ultimate defense, but that is only if the security practitioners get the right messaging across.

The author would like to thank his colleagues Bruce P. Burrell, Alexandre Côté Cyr, Nick FitzGerald, Tomáš Foltýn, Lukáš Štefanko, and Righard Zwienenberg for their assistance with this article, as well as Neowin for publishing the original version of it.

Aryeh Goretsky
Distinguished Researcher, ESET

Note: An earlier version of this article was published on tech news site Neowin.

Products You May Like

Leave a Reply

Your email address will not be published. Required fields are marked *