Pakistani Threat Actors Created 300+ Cracking Sites to Distribute Info-Stealing Malware

A recent in-depth investigation by Intrinsec has exposed a sprawling network of over 300 cracking websites, orchestrated by Pakistani freelancers, designed to distribute info-stealing malware.

These sites, often masquerading as legitimate sources for cracked software, have been identified as a primary vector for stealer compromises, impacting numerous corporate clients worldwide.

Unveiling a Vast Network of Malicious Infrastructure

The analysis reveals a sophisticated cybercrime ecosystem where Pakistani individuals, specializing in web development and digital advertising, build and promote these malicious platforms, often following a pay-per-install (PPI) model reminiscent of the infamous Cryptbot malware operation.

This model incentivizes financial gain by compensating actors for each successful malware installation, exploiting unsuspecting users who download seemingly free software.

Delving into the technical underpinnings, the investigation traced the origins of infections to domains like kmspico[.]io, hosted on IP ranges such as 45.12.1[.]24 under Virtual Systems LLC.

Pivoting on these indicators, researchers uncovered shared OpenSSH banners linking to other malicious IPs, notably 45.12.1[.]30, associated with multiple cracking domains.

Technical Insights into Infrastructure

A key finding was the use of nameservers from filescrack[.]com, active since 2021, which have supported over 300 such websites as of September 2024.

Additionally, the hosting provider 24xservice, tied to AS57717 and located in Lahore, Pakistan, was found to host an IP range (185.216.143[.]0/24) almost exclusively dedicated to these malicious sites.

WhoIs records further linked nominal email addresses to real identities of Pakistani freelancers, some of whom have transitioned from illicit activities to legitimate ventures since 2023, highlighting the fluid nature of cybercrime roles.

The report also uncovered ties to PPI services like installpp[.]com, where commissions are earned based on victim demographics, amplifying the scale of distribution.

Geopolitically, the situation is compounded by Pakistan’s growing cyber alliances with China and Russia, alongside a lack of extradition treaties with the US and EU.

This legal gap renders prosecution of these threat actors nearly impossible, despite server seizures offering temporary relief.

Pakistan’s cybersecurity cooperation with China, focusing on intelligence sharing and emergency response, alongside its neutral stance in global conflicts, suggests a potential leniency towards such cyber activities if they do not target national interests.

This intricate web of technical infrastructure and geopolitical dynamics underscores the persistent challenge of dismantling such networks, as new domains and servers are swiftly rebuilt post-disruption.

The implications are severe, as compromised credentials harvested via these stealers are sold on dark web marketplaces, facilitating further attacks like ransomware or espionage through RATs.

Intrinsec’s analysis, while not delving into post-infection kill-chains (previously covered in Cryptbot and Lumma studies), emphasizes the upstream segmentation of cybercrime, where website creation and malware distribution are distinct yet interconnected roles.

Organizations are urged to block the extensive list of Indicators of Compromise (IOCs) provided, enhance employee training against phishing and cracked software usage, and implement robust security measures like MFA and network monitoring to mitigate risks.

Indicators of Compromise (IOCs)

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates