Info-leaking Malware Distributed Through Google Keyword Search

The ASEC analysis team has previously dealt with BeamWinHTTP malware being distributed through adware and PUP programs. When users install cracks and keygens by downloading the installers from the phishing page, various PUP programs and BeamWinHTTP malware are installed together. BeamWinHTTP additionally installs info-leaking malware (info-stealers).

When users search with keywords like ‘program names,’ ‘cracks,’ and ‘keygens’ in a search engine like Google, they may come across websites with fake shortened URLs. In the example below, the short URL is ‘hxxps://imgfil[.]com,’ and ‘hxxps://blltly[.]com’ was found in another instance. It is deemed that ‘imgfil[.]com’ is an imitation of while ‘blltly[.]com’ is an imitation of

Scrolling down, several Korean words and sentences that do not fit the search keyword can be found. It is assumed that the various keywords such as ‘game cracks’ and ‘keygens for programs’ were inserted to make the website appear on the search result page of a search engine.

As seen from this example, there are cases of Korean blog sites that are used by attackers for phishing attacks.

When users click the link or the button, they are redirected to the download page as shown below. Finally, by clicking the ‘DOWNLOAD’ button, the compressed file is downloaded.

The following is a summary of the flow up to now:

Search Google
– A phishing page prompting users to click the download button
Clicking the Link or the Download Button
– hxxps://imgfil[.]com or hxxps://blltly[.]com
– hxxp://capabresume[.]com
– hxxps://eemgl[.]com
– hxxps://ezwcom[.]com
Clicking the Download Button
– hxxp://yabimer[.]com

When the file is decompressed, the two executable files are presented as shown below. However, as one file is hidden, users will only see the ‘call-of-duty-localiz_240662092.exe’ file and double-click it to begin the installation. The hidden file is a normal program named WSCC, and ‘call-of-duty-localiz_240662092.exe’ is malware that installs the adware.

Upon execution, it creates a random path in the Program Files (‘Program Files (x86)’ folder in the x64 environment) folder and runs the program. ‘C:\Program Files (x86)\Qui\maiores\Voluptatem.exe’ is the adware in this case, but seeing how the log shows paths such as ‘C:\Program Files (x86)\neque\sunt\tempora.exe’ and ‘C:\Program Files (x86)\zsclone\bin\aweclone,’ the malware does not target a specific folder or filename.

As for what happens after, see the article on the analysis of BeamWinHTTP that was introduced above. Additionally, a closer look at the recent malware downloaded through BeamWinHTTP reveals that the majority of them are still info-leaking malware, namely Vidar, Raccoon, and Ficker Stealer.

Attempting to download crack or keygen programs through Google search may result in the info-stealer malware being installed instead. Moreover, Korean users are also at the risk of downloading malware via search engines as the downloading website can be shown on non-English search results as well. Caution is advised.

[File Detection]
Adware/Win.DownloadAssistant.C4439209 (2021.04.26.01)
Adware/Win.DownloadAssistant.R417523 (2021.04.25.00)
CoinMiner/Win.Glupteba.R417680 (2021.04.26.00)
Trojan/Win.MalPE.R414432 (2021.04.04.00)
Trojan/Win.Generic.R372807 (2021.03.24.00)

[Behavior Detection]

[Memory Detection]

– dbbd0bf5c8767748801c9cb77be2aac1 (call-of-duty-localiz_240662092.exe)
– bcaa6072ae76b18c241b3102669d6ef9 (Voluptatem.exex)
– 5d3901176afa9675bb26ee263893dbd4 (beamwinhttp)
– 666dc98ef163a2bacdb9585816268705 (Ficker Stealer)
– a5577c6075410ba537ed3c54befcf8d3 (Raccoon Stealer)
– 664459b5bb0347021da4c830fd7ea0cd (Vidar Stealer)

Download URLs
– hxxps://imgfil[.]com
– hxxps://blltly[.]com
– hxxp://capabresume[.]com
– hxxps://ljett[.]com
– hxxps://eemgl[.]com
– hxxps://ezwcom[.]com
– hxxp://yabimer[.]com

5 1 vote
Article Rating
Notify of

Inline Feedbacks
View all comments