One of the pieces of advice that security practitioners have been giving out for the past couple of decades, if not longer, is that you should only download software from reputable sites. As far as computer security advice goes, this seems like it should be fairly simple to practice.
But even when such advice is widely-shared, people still download files from distinctly non-reputable places and get compromised as a result. I have been a reader of Neowin for over a couple of decades now, and a member of its forum for almost that long. But that is not the only place I participate online: for a little over three years, I have been volunteering my time to moderate a couple of Reddit’s forums (subreddits) that provide both general computing support as well as more specific advice on removing malware. In those subreddits, I have helped people over and over again as they attempted to recover from the fallout of compromised computers. Attacks these days are usually financially motivated, but there are other unanticipated consequences as well. I should state this is not something unique to Reddit’s users. These types of questions also come up in online chats on various Discord servers where I volunteer my time as well.
One thing I should point out is that both the Discord and Reddit services skew to a younger demographic than social media sites such as Twitter and Facebook. I also suspect they are younger than the average Neowin member. These people grew up digitally literate, and have had access to advice and discussions about safe computing practices available since pre-school.
A breakdown in communications
Despite having the advantage of having grown up with computers and information on securing them, how is it that these people have fallen victim to certain patterns of attacks? And from the information security practitioner’s side, where exactly is the disconnect occurring between what we’re telling people to do (or not do, as the case may be), and what they are doing (or, again, not doing)?
Sometimes, people will openly admit that they knew better but just did a “dumb thing,” trusting the source of the software when they knew wasn’t trustworthy. Sometimes, though, it appeared trustworthy, but was not. And at other times, they had very clearly designated the source of the malware as trustworthy even when it was inherently untrustworthy. Let’s take a look at the most common scenarios that lead to their computers being compromised:
- They received a private message via Discord from an online friend asking them for feedback on a game the friend was writing. The “game” the online friend was writing was in a password-protected .ZIP file, which they had to download and extract with the password before running it.
- They used Google to search for a commercial software package they wished to use, but specified they were looking for a free or a cracked version of it, and downloaded it from a website in the search results. It is not always commercial software; even free or open source programs have recently been targeted by malicious advertising (malvertising) campaigns using Google Ads.
- Similarly, they searched YouTube for a download of a free or cracked version of a commercial software package, and went to a website mentioned in the video or listed in its comments to download it.
- They torrented the software from a well-known site specializing in pirated software.
- They torrented the software from a private tracker, Telegram channel, or Discord server in which they had been active in for over a year.
Do any of these scenarios seem similar to each other in any way? Despite the various means of receiving the file (seeking out versus being asked, using a search engine, video site or piracy site, etc.) they all have one thing in common: they exploited trust.
When security practitioners talk about downloading files only from reputable websites, it seems that we are often only doing half of the job of educating the public about them, or maybe even a little less, for that matter: we’ve done a far better job of telling people what kind of sites to go to (reputable ones, obviously) without explaining what makes a site safe to download from in the first place. So, without any fanfare, here’s what makes a site reputable to download software from:
- You should only download software direct from the author or publisher’s site, or a site expressly authorized by them.
And… that’s it! In today’s world of software, the publisher’s site could be a bit more flexible than what it historically has been. Yes, it could be a site with the same domain name as the publisher’s site, but it could also be that the files are located on GitHub, SourceForge, hosted on a content delivery network (CDN) operated by a third party, and so forth. That is still the publisher’s site, as it was expressly uploaded by them. Sometimes, publishers provide additional links to additional download sites, too. This is done for a variety of reasons, such as to defray hosting costs, to provide faster downloads in different regions, to promote the software in other parts of the world, etc. These, too, are official download sites because they are expressly authorized by the author or publisher.
There are also sites and services that act as software repositories. SourceForge and GitHub are popular sites for hosting open source projects. For shareware and trial versions of commercial software there are numerous sites that specialize in listing their latest versions for downloading. These download sites act as curators for finding software in one place, which makes it easy to search and discover new software. In some instances, however, they also can have a darker side: Some of these sites place software wrappers around files downloaded from them that can prompt to install additional software besides the program you were looking for. These program bundlers may do things completely unrelated to the software they are attached to and may, in fact, install potentially unwanted applications (PUAs) on to your computer.
When it comes to search engines, interpreting their results can be tricky for the uninitiated, or people who are just plain impatient. While the goal of any search engine—whether it is Bing, DuckDuckGo, Google, Yahoo, or another— is to provide the best and most accurate results, their core businesses often revolve around advertising. This means that the results at the top of the page in the search engine results are often not the best and most accurate results, but paid advertising. Many people do not notice the difference between advertising and search engine results, and criminals will take advantage of this through malvertising campaigns where they buy advertising space to redirect people to webites used for phishing and other undesirable activities, and malware. In some instances, criminals may register a domain name using typosquatting or a different top-level domain than the software publisher’s in order to make their website address less noticeable at first glance.
In case you are wondering about the safety of Neowin’s Software section, it does not engage in any of this type of disingenuous behavior. All download links either go directly to the publisher’s own files or to their web page, making Neowin a reliable source for downloads. While direct downloading ensures that you get software from the company (or individual) that wrote it, that does not necessarily mean it is free of malware: there have been instances where malicious software was included in a software package, unintentionally or otherwise.
About the malware involved
With all of that in mind, you are probably wondering exactly what the malware did on the affected computers. While there were different families of malware involved, each of which having its own set of actions and behaviors, there were two that basically stood out because they were repeat offenders, which generated many requests for assistance.
- STOP/DJVU is a family of ransomware that seemed to heavily target students. While not all of those affected were targeted in the same fashion, several students reported that the ransomware appeared after pirating commercial VST plugins intended for school or personal projects while at university. This is despite the plugins having been downloaded from “high reputation” torrents shared by long-time users and having dozens or sometimes even hundreds of seeders for that particular magnet link.
Shortly after the software piracy occurred, the students found fairly standard ransomware notes on their desktop. What was unusual about the extortion notes was that instead of asking to be paid tens or hundreds of thousands of dollars, much lower amounts were asked for by the criminals — around $1,000-1,200 USD (in cryptocurrency). But that’s not all: Victims paying within the first 24 hours of notification were eligible for a 50% discount. While the amount being extorted seems very low compared to what criminals targeting businesses ask for, the lower amount may mean a greater likelihood of payment by the victim, especially when faced with such high-pressure tactics.
It is possible that the STOP/DJVU ransomware is marketed as Ransomware-as-a-Service (RaaS), which means its developers lease it out to other criminals in exchange for payment and a share of the profits. Other criminals may be using it as well, but it appears that at least one group has found its sweet spot in targeting students.
And just in case you were wondering: I have never heard of anyone successfully decrypting their files after paying the ransom to the STOP/DJVU criminals. Your best bet at decrypting your files is to back them up in case a decryptor is ever released.
- Redline Stealer, as the name implies, is an information-stealing trojan. Like STOP/DJVU, it appears to be leased out as part of the Criminal software as a Service family of tools. While I have seen multiple reports of it being spread through Discord, since it is “sold” as a service offering, there are likely many criminal gangs distributing it in different fashions for a variety of purposes. In these instances, the victims received direct messages from compromised friends’ accounts asking them to run software that was delivered to them in a password-protected .ZIP file. The criminals even told the victims that if their antivirus software detected anything, that it was a false positive alarm and to ignore it.
As far as its functionality goes, Redline Stealer performs some fairly common activities, such as collecting information about the version of Windows the PC is running, username, and time zone. It also collects some information about the environment where it is running, such as display size, the processor, RAM, video card, and a list of programs and processes on the computer. This may be to help determine if it is running in an emulator, virtual machine, or a sandbox, which could be a warning sign to the malware that it is being monitored or reverse engineered. And like other programs of its ilk, it can search for files on the PC and upload them to a remote server (useful for stealing private keys and cryptocurrency wallets), as well as download files and run them.
But the primary function of an information stealer is to steal information, so with that mind, what exactly does the Redline Stealer go after? It steals credentials from many programs including Discord, FileZilla, Steam, Telegram, various VPN clients (OpenVPN, ProtonVPN), as well as cookies and credentials from web browsers such as Google Chrome, Mozilla Firefox, and their derivatives. Since modern web browsers do not just store accounts and passwords, but credit card info as well, this can pose a significant threat.
Since this malware is used by different criminal gangs, each of them might focus on something slightly different. In these instances, though, the targets were most often Discord, Google, and Steam accounts. The compromised Discord accounts were used to spread the malware to friends. The Google accounts were used to access YouTube and inflate views for certain videos; as well as upload videos advertising various fraudulent schemes, causing the account to be banned. The Steam accounts were checked for games that had in-game currencies or items which could be stolen or resold. These might seem like odd choices given all the things which can be done with compromised accounts, but for people around teen age, these might be the most valuable online assets they possess.
To summarize, here we have two different types of malware that are sold as services for use by other criminals. In these instances, those criminals seemed to target victims in their teens and early twenties. In one case, extorting victims for an amount proportional to what sort of funds they might have; in the other case, targeting their Discord, YouTube (Google), and online games (Steam). Given the victimology, one has to wonder if these criminal gangs are composed of people in similar age ranges, and chose specific targeting and enticement methods they know would be highly effective against their peers.
Where do we go from here?
Security practitioners advise people to keep their computer’s operating systems and applications up to date, to only use their latest versions, and to run security software from established vendors. And, for the most part people do that, and it protects them from a wide variety of threats.
But when you start looking for sketchy sources to download from, things can take a turn for the worse. Security software does try to account for human behavior, but so do criminals who exploit concepts such as reputation and trust. When a close friend on Discord asks you to look at a program and warns that your antivirus software may incorrectly detect it as a threat, who are you going to believe, your security software or your friend? Programmatically responding to and defending against attacks on trust, which are essentially types of social engineering, can be very difficult. In the type of scenarios explained here, it is user education and not code that may be the ultimate defense, but that’s only if the security practitioners get the right messaging across.
Disclosure: While Neowin occasionally writes about the author’s employer, Eset, the opinions expressed are those of the author and do not necessarily reflect those of Neowin LLC, its employees, assignees, advertisers or stakeholders.