The Info Stealer Is Distributed Through Cracked App Sites
A federal judge sided with Google in a bid to block online infrastructure behind an info stealer masquerading as legitimate versions of the Chrome browser and Google Earth Pro.
The Silicon Valley giant obtained a temporary restraining order blocking internet traffic from reaching hundreds of web domains used as command and control for the CryptBot botnet and for distributing cracked software. Applications freed from copyright restrictions are common methods of malware distribution (see: Would-Be Software Pirates Served Malware Through ‘NullMixer’).
The order is valid for 14 days or until it becomes permanent following a court hearing scheduled for May 4.
Google in its newly unsealed complaint names three individuals in Pakistan as being primarily responsible for a network of more than 150 websites such as
mazterize.net that distribute license-free versions of software including Google apps, which are free to use. The three men ran a company called 360Installer, whose web page now displays this message: “We regret to inform you that our business is permanently closed.” The lawsuit also says 15 unidentified individuals were responsible for operating the CryptBot malware.
Google says 360Installer previously advertised that it paid affiliates $2 per installation of a cracked software application.
Of the 161 active domains associated with 360Installer, Google says approximately 90 were associated with the delivery of malware and about 29 are associated with CryptBot.
The computing giant also identified hundreds of domains used by CryptBot as command-and-control sites, including domains such as
nekrvw111.top. All the malicious domains used the
.top top-level domain, which has been active since 2014.
CryptBot was first discovered in 2019 and made a resurgence in early 2022. Google estimates it infected 670,000 computers during the last year. Cybersecurity firm AhnLab in 2022 spotted a newly improved version of the info stealer on cracked software distribution web pages. The malware checks infected computers for installations of Chrome and extracts information from them, including logon credentials and cryptocurrency account information.
“We’re targeting the distributors who are paid to spread malware broadly for users to download and install, which subsequently infects machines and steals user data,” the tech giant said in a blog. “Cybercriminals often operate like businesses, specializing in a particular function, and partner with other criminal specialists to profit off harm to innocent users,” the blog says.
Google in its complaint sited a slew of federal statues it said named and unidentified defendants had violated, including the main statute against organized crime – the Racketeer Influenced and Corrupt Organizations Act. It also accused defendants of infringing on its trademarks and of violating the main U.S. anti-hacking statute – the Computer Fraud and Abuse Act.