Once installed, the malware uses Smoke Loader to drop additional malware such as RedLine and Raccoon Stealer which intensify information-gathering activities on an infected device.
Researchers at Sunnyvale, California-based software vendor and cloud security provider Proofpoint have reported a new threat luring unsuspecting users into downloading the so-called Privacy Tools service laced with malware.
Reportedly, the service promises users a tool that “encrypts” their data using a zip-like program. Malware operators have designed a full-fledged website, which is fake but looks genuine and contains complete details of the “alleged’ service.
According to Proofpoint’s blog post, the fake website also offers step-by-step information on how to download the tool. However, in reality, this tool they are offering is malware.
Smoke Loader used as Initial Payload
Proofpoint researchers state that malware operators have used Smoke Loader as the initial payload. Smoke Loader is a downloader and the preferred choice of numerous threat actors. It installs follow-on data-stealing malware such as RedLine and Raccoon Stealer to intensify information-gathering activities further.
Raccoon Stealer first appeared in 2019 as a “malware as a service” tool for cybercriminals to steal credentials like website cookies, passwords, system information, credit card data, and bitcoin wallet contents.
RedLine Stealer malware aims to steal information from browsers. It can gather data such as passwords and login details, autocomplete, and credit cards. It collects data about the user and system as well, including username, location, and hardware configuration.
Campaign Designed to Exfiltrate Data
Ironically, malware operators have used a privacy themes campaign to lure users as they may fall prey to this quite easily. The malware gathers data from an infected host.
In addition, the fake website offers privacy tools for business and personal use, and visitors are asked to install Privacy Tools software via a particular section of the website.
The downloading is facilitated by compressed executables purporting to be file protection resources. The downloader actually installs Smoke Loader, which first appeared in 2011. It then downloads and installs follow-on malware.
No Conclusion over Malware operators
Proofpoint researchers claim that the activity cannot be attributed to a specific group at this time. One of the IP addresses they detected in this campaign is linked with OpenNIC. It is a public service used to resolve certain types of domains providing alternatives to domains that ICANN doesn’t administer.
The fake website is registered by ssserviceshop1@yandex[.]ru via Registrar of Domain Names REG[.]ru, LLC. The same email and registrar were found to be associated with many other privacy-themed domains and C&C IPs.
If you are looking to protect your privacy chances are that you may end up downloading this malware for privacy tool. Therefore, watch out and always scan files on Virus Total and avoid downloading tools from third-party sites.
You may also refrain from using pirated software and games as cryptocurrency malware like Crackonosh have been targeting unsuspecting users disguising as popular video games.