A bulk of the victims of this Windows malware belong to France, Brazil, Indonesia, and India
Avast has spotted at least 10,000 infection attempts per day, on average, through its customer telemetry data. This malware also has the potential to steal information from your crypto-wallets. The Avast team claims that most of FakeCrack’s victims belong to France, Brazil, Indonesia, and India. The FakeCrack malware can collect the user’s financial data, as well as crypto assets, and route the internet traffic via proxies. As BleepingComputer notes, the malware gets to the top of search results using Black Hat SEO methods. By populating the first few search results, the attackers can effectively trick unsuspecting users into downloading malware onto their computers. Avast found malware hiding beneath a pirated/cracked version of CCleaner Professional. However, FakeCrack has also mimicked services like Movavi Video Editor and Microsoft Office to lure victims. The fake apps/services are promoted with keywords like “product activator,” “serial key,” and “cracked.”
Clicking the malicious search result takes users through several pages, eventually prompting users to download a ZIP file. The attackers use websites already known to the users, such as MediaFire or FileSend. This gives the operation a sense of legitimacy while tricking more people into falling prey. The attackers are also wise enough to password-protect the ZIP file. This helps them bypass any anti-virus detection features on the computer. The ZIP file password is usually as simple as “1234.” When the victim has reached this stage, they will spot a file named cracksetup.exe or setup.exe. However, Avast says it has seen eight variations of the .exe filenames, making detection much harder.
FakeCrack can even steal content you’ve copied on the clipboard
In addition to stealing all your financial information, this malware can also obtain your clipboard’s contents. Furthermore, it can replace any wallet addresses you copy to the clipboard with addresses that are under the attacker’s control. With the new malware campaign spreading rapidly, users should temporarily avoid downloading files from unknown sources. As we’ve learned in this case, even the top Google Search results cannot be trusted.