A Dropper-Type Malware Bomb Being Distributed Again in the Disguise of Cracks

The dropper malware which camouflaged itself as a crack is being actively distributed again after a period of dormancy. When this malware is executed, the affected system becomes infected with numerous malware programs simultaneously. This is effectively a malware “bomb.”

Malware disguised as cracks for commercial software have been prevalent, which were either distributed in a “singular malware” format or “dropper malware” format. The ASEC analysis team is closely monitoring such malware distribution activities and has covered them multiple times in our blog posts.

The malware is distributed from malicious websites which are exposed at the top of search result pages of search engines. The threat actor created a large number of malicious websites disguised as crack download sites using various keywords, and when users click the Download button on these pages, they are redirected to the malware distribution page. While the malware periodically undergoes appearance changes, the downloaded file remains a password-protected compressed file.

Since the end of June, dropper-type malware disappeared from the distribution process above, and singular malware of abnormal size became the most common type. CryptBot, Vidar Stealer, and Raccoon Stealer (RecordBreakerStealer) were the most frequently distributed malware, and about 100 new hash malware samples were found per week. There have also been cases of distribution of new malware that had not been reported previously.

Until now, dropper-type malware were not distributed directly from distribution web pages but sometimes downloaded from other malware to be executed. However, they are being actively distributed these days, using distribution web pages disguised as crack download pages as they did in the past.

When the ZIP file downloaded from the distribution page is decompressed, the “install_setup.exe”(NSIS) file is created. When this file is executed, it creates a 7z SFX file in the TEMP path with the name “setup_installer.exe” before executing it. This file contains 10 to 15 malware programs and a loader to run these. As a result, all of the malware files are created and executed one by one. Thus, users must be especially careful as their systems can be infected with multiple malware at once.

While no big changes have been made to the execution method or the types of malware included in the file, in the early days when the malware restarted its distribution, there have been multiple unique cases where there were either only two malware files or duplicates of the malware program of the same hash. Judging from past distribution cases, they are deemed as either a mistake on the part of the threat actor or samples for testing distribution.

The V3 product line blocks malware infection in advance through file detection, but user discretion is advised because according to the product detection log, there are many cases where the malware turns off real-time scanning or turns the malware into an exception before executing them.

AhnLab detects and blocks the malware using the alias below.

  • Trojan/Win.Muldrop.R487182 (2022.06.12.01)

[IOC Info]


Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

5 1 vote
Article Rating
Notify of

Inline Feedbacks
View all comments