Info Theft Malware Distribution Phishing Campaign

The ASEC analysis team discovered a phishing site that distributes info-stealer malware by disguising it as a crack program of a normal utility. As shared in the post posted on June 29th (, the phishing site appears in the top results when the utility program name is searched along with “Crack” on Google. It is assumed that many users were infected when they accessed the said site to download the crack of the utility program.

Figure 1. Phishing site that appears in the top results when searching for crack

As shown in Figure 2, the post is created and decorated with images of the actual utility program, which makes the site look quite legit. When the user accesses the website and clicks the download link shown in Figure 3, the user gets redirected to the malware distribution source, resulting in the download of the archive file that contains malware.

Figure 2. Phishing page

Figure 3. Download link of info leaking malware located at the bottom of the post

The malware gets downloaded with the form of utility name_specific hash The archive file has file that contains the info leaking malware, a .txt file containing the archive password, and a ReadMe.txt file that runs the malware.

Figure 4. Inside of the file

Upon opening the ReadMe document, it asks the user to close currently running Anti-Virus, firewall, etc. as shown in Figure 5. It may look like it’s asking as ordinary keygen and cracks are usually detected as malicious programs, but since this file only has a feature of malware, it is likely that the text was stated to bypass the malware detection.

Figure 5. Inside of the First-ReadMe–.txt file

If the password “77788899” is entered to extract, malware (SetupFile-86x-64xen.exe) gets generated.

Figure 6. Malware

When the malware is run, a regular AutoIt script run program ( from Figure 7) and an encoded malicious PE file are dropped into the “%temp%\IXP000.TMP” folder. Afterward, “c:\windows\system32\attrib.exe” is run, decodes the encoded PE, and continues with injection.

Figure 7. Process tree info of inhouse dynamic analysis system RAPIT

The decoded PE is an info leaking malware that has a feature of Anti-SandBox. The malware checks the following information and, and if any of the condition is met, it terminates its process.

Figure 8. Anti-Sandbox feature

  • Screen verification feature using GetSystemMetrics API (If horizontal axis of the current screen is smaller than 1027)
  • Number of CPU cores verification feature using GetSystemInfo API (If the number of CPU core is 1)
  • Use the registry key info as a reference, and terminates the process if the name of the CPU is “Xeon.”
  • Physical memory verification feature using GlobalMemoryStatusEx API (If physical memory is less than 2GB)

Once the SandBox environment verification is over, it leaks the following info from the user’s PC, compresses it as a zip file, and sends it to the C&C server.

  • Browser password info
  • Web browser cookie info
  • Cryptocurrency related wallet info
  • Screenshot of user PC’s desktop
  • CPU, RAM, OS, keyboard layout info of PC
  • List of installed SW

An interesting note on these phishing sites is that all the cracks of other utilities (Adobe Photoshop CC 2020, DLL Files Fixer, etc.) uploaded to this site redirects to the same malware distribution source, and ultimately running the same malware.

The ASEC analysis team believes that there are many other variants of this phishing site that distribute info leaking malware, therefore it is recommended that users refrain from accessing any illegal crack websites and aim to use genuine software.

AhnLab’s anti-malware product V3 detects the malware above using the aliases below.

[File Detection]

Dropper/Win32.AutoIt (2020.11.09.02)

[Behavior Detection]





<Phishing site>


<C&C address>

  • http[:]//

0 0 votes
Article Rating
Notify of

Inline Feedbacks
View all comments