[en] PUPs by Cracks/Keygen

Sometimes ago, i notice some SEO poisonning leading to Cracks/Keygen websites created to offer PUPs installer.
All theses fake crack/keygen website lead to differents PUPs affiliate programs :

PUPs_by_crack_download3 PUPs_by_crack_download2 PUPs_by_crack_download
at the end two differents installers :

[email protected]:/tmp/mal$ ls -l|sort -k +5
total 10792
-rw-r--r-- 1 malekalmorte malekalmorte 1510928 mars 27 16:58 norton trial reset_10924_i47381854_il345.exe
-rw-r--r-- 1 malekalmorte malekalmorte 1510928 mars 27 17:00 Crack norton 2008 cn_10924_i47382273_il345.exe
-rw-r--r-- 1 malekalmorte malekalmorte 1537040 mars 27 17:02 Keygen norton exe_10924_i47382972_il345.exe
-rw-r--r-- 1 malekalmorte malekalmorte 1537040 mars 27 17:12 Singer number fa featherweight serial_10924_i47385459_il345.exe
-rw-r--r-- 1 malekalmorte malekalmorte 1592848 mars 27 17:44 Adobe Flash CS3 Portable EN_10924_i47393017_il345.exe
-rw-r--r-- 1 malekalmorte malekalmorte 477696 mars 27 16:56 Hack Tool 2015 Downloader.exe
-rw-r--r-- 1 malekalmorte malekalmorte 477696 mars 27 16:57 NORTON INTERNET SECURITY HACK Downloader.exe
-rw-r--r-- 1 malekalmorte malekalmorte 477696 mars 27 17:01 Norton Internet Security 2015 Downloader.exe
-rw-r--r-- 1 malekalmorte malekalmorte 477696 mars 27 17:13 G Data Antivirus 2015 Crack With Key Updated.exe
-rw-r--r-- 1 malekalmorte malekalmorte 477696 mars 27 17:53 G Data Antivirus 2015 Crack With Key Updated (1).exe
-rw-r--r-- 1 malekalmorte malekalmorte 478208 mars 27 17:03 FL Studio Mobile 2.0.1 Apk Data For Android download.exe
-rw-r--r-- 1 malekalmorte malekalmorte 478208 mars 27 17:03 Spybot search and Destroy 2.4 Key Crack Download Full.exe

ADWARE/MultiPlug :


and Adware.Mikey / Trojan.Amonetize :


Installer example :

PUPs_by_crack_hack_installer2 PUPs_by_crack_hack_installer

Some campaigns....

Fake Crack/keygen Websites

A lot of fake crack/keygen websites created to make SEO Poisonning.
Some :

cracksfull.com --
www.software-free.net -- software-free.net.
softwarespatch.com --
www.savvyeat.com --
cracksnew.com --
pcsoftwarespro.com --
apkappspro.co --
onhax.net --
softwaresnew.org --
crackserialpro.com --
realcracked.com --
crackserialpro.com --
mhktricks.net --
allactivators.com --

PUPs_by_crack4 PUPs_by_crack3 PUPs_by_crack2 PUPs_by_crack

they are able to reach around ~40k at Alexa :

and sometimes a lot :
some of theses IPs are also used for Phishing and others malicious activities :

All the redirector and PUP Afffiliate programs websites are hosted on Amazon & they like .xyz TLD.



Hacked websites

As usual, some hacked websites are hacked to host malicious contents.
The goal is to use the ranking of the website to be on the top of the research engine.

I notice differents campaigns that target WordPress websites.
An old one, with a specific pattern, already use to push PUPs & Browlock Ransomware - see :

PUPs_by_crack_hack_SEO_Poisonning2 PUPs_by_crack_hack_SEO_Poisonning


another one, seems the hackers upload a copy of a warez website in the wp-info directory.

PUPs_by_crack_hack_SEO_Poisonning3PUPs_by_crack_hack_SEO_Poisonning4_1 the original warez website :

Some examples of "wp-info" hacked website hosting warez :PUPs_by_crack_hack_SEO_Poisonning6

Below the API that redirect (/lp1/query.php URLs) to the PUP Affiliate website.PUPs_by_crack_hack_URLs2

i update my malicious URL database with theses : http://malwaredb.malekal.com/url.php
We can notice that the redirect are linked to UA/RU.


Vous avez trouvé cet article utile et interressant, n'hésitez pas à le partager...
bouton facebookbouton twitterbouton whatapps
Cet article est sous licence Creative Commons BY-NC-SA.
Vous êtes autorisé à partager et modifier cet article, à condition de créditer le site ainsi que la licence, d'utiliser la même licence si vous modifiez l'oeuvre et de ne pas en faire d'utilisation commerciale.