Sometimes ago, i notice some SEO poisonning leading to Cracks/Keygen websites created to offer PUPs installer.
All theses fake crack/keygen website lead to differents PUPs affiliate programs :
at the end two differents installers :
malekalmorte@Mak-tux:/tmp/mal$ ls -l|sort -k +5 total 10792 -rw-r--r-- 1 malekalmorte malekalmorte 1510928 mars 27 16:58 norton trial reset_10924_i47381854_il345.exe -rw-r--r-- 1 malekalmorte malekalmorte 1510928 mars 27 17:00 Crack norton 2008 cn_10924_i47382273_il345.exe -rw-r--r-- 1 malekalmorte malekalmorte 1537040 mars 27 17:02 Keygen norton exe_10924_i47382972_il345.exe -rw-r--r-- 1 malekalmorte malekalmorte 1537040 mars 27 17:12 Singer number fa featherweight serial_10924_i47385459_il345.exe -rw-r--r-- 1 malekalmorte malekalmorte 1592848 mars 27 17:44 Adobe Flash CS3 Portable EN_10924_i47393017_il345.exe -rw-r--r-- 1 malekalmorte malekalmorte 477696 mars 27 16:56 Hack Tool 2015 Downloader.exe -rw-r--r-- 1 malekalmorte malekalmorte 477696 mars 27 16:57 NORTON INTERNET SECURITY HACK Downloader.exe -rw-r--r-- 1 malekalmorte malekalmorte 477696 mars 27 17:01 Norton Internet Security 2015 Downloader.exe -rw-r--r-- 1 malekalmorte malekalmorte 477696 mars 27 17:13 G Data Antivirus 2015 Crack With Key Updated.exe -rw-r--r-- 1 malekalmorte malekalmorte 477696 mars 27 17:53 G Data Antivirus 2015 Crack With Key Updated (1).exe -rw-r--r-- 1 malekalmorte malekalmorte 478208 mars 27 17:03 FL Studio Mobile 2.0.1 Apk Data For Android download.exe -rw-r--r-- 1 malekalmorte malekalmorte 478208 mars 27 17:03 Spybot search and Destroy 2.4 Key Crack Download Full.exe
ADWARE/MultiPlug :
https://www.virustotal.com/fr/file/992007bdce345a2fe692ad1d1120fb79793167051d49b8c4c3b3c6349c26b627/analysis/
https://www.virustotal.com/fr/file/36921c7953f71f44527cfd13e5a9472d6d5264e20fd5d150627b61ebf4fc0ebd/analysis/1427476495/
and Adware.Mikey / Trojan.Amonetize :
https://www.virustotal.com/fr/file/966754b49121fb7338da1122f69f1e12ad827e2c96d641d67c4e3fbbf2ea7ef4/analysis/1427476595/
https://www.virustotal.com/fr/file/992007bdce345a2fe692ad1d1120fb79793167051d49b8c4c3b3c6349c26b627/analysis/1427476593/
Installer example :
Some campaigns….
Fake Crack/keygen Websites
A lot of fake crack/keygen websites created to make SEO Poisonning.
Some :
cracksfull.com -- 104.24.100.63 104.24.101.63 www.software-free.net -- software-free.net. 104.27.189.195 104.27.188.195 softwarespatch.com -- 142.4.217.51 www.savvyeat.com -- 208.97.174.235 cracksnew.com -- 104.24.114.101 104.24.115.101 pcsoftwarespro.com -- 104.18.46.134 104.18.47.134 apkappspro.co -- 104.27.146.245 104.27.147.245 onhax.net -- 104.28.14.60 104.28.15.60 softwaresnew.org -- 31.22.4.60 crackserialpro.com -- 216.245.193.82 realcracked.com -- 64.37.59.147 crackserialpro.com -- 216.245.193.82 mhktricks.net -- 104.28.6.43 104.28.7.43 allactivators.com -- 142.4.217.51
they are able to reach around ~40k at Alexa :
http://www.alexa.com/siteinfo/cracksfull.com
http://www.alexa.com/siteinfo/freecrackfilesdownload.blogspot.com
http://www.alexa.com/siteinfo/www.software-free.net
and sometimes a lot :
some of theses IPs are also used for Phishing and others malicious activities :
All the redirector and PUP Afffiliate programs websites are hosted on Amazon & they like .xyz TLD.
Hacked websites
As usual, some hacked websites are hacked to host malicious contents.
The goal is to use the ranking of the website to be on the top of the research engine.
I notice differents campaigns that target WordPress websites.
An old one, with a specific pattern, already use to push PUPs & Browlock Ransomware – see :
https://www.malekal.com/2014/10/14/en-another-seo-poisoning-lead-to-pups/
https://www.malekal.com/2014/09/12/en-browlock-also-by-hacked-websites/
another one, seems the hackers upload a copy of a warez website in the wp-info directory.
the original warez website :
Some examples of « wp-info » hacked website hosting warez :
Below the API that redirect (/lp1/query.php URLs) to the PUP Affiliate website.
i update my malicious URL database with theses : http://malwaredb.malekal.com/url.php
We can notice that the redirect are linked to UA/RU.
