We have recently found a website that purportedly offers cracks for numerous applications, but in reality serves malicious files to its unknowing users.
The website, hxxp://{BLOCKED}ck.com, is allegedly owned by an organization called China.United Telecom. Corp. The said website supposedly offers a wide collection of cracks for different applications. However, attempting to download any of these files will always lead to the same page (Figure 2.)
 |
 |
Clicking the Download button downloads a .ZIP file into the user’s system. The .ZIP file contains two files, both of which are malicious:
Trend Micro detects the files as TROJ_DLOADER.ZTN. TROJ_DLOADER.ZTN downloads TROJ_AGENT.INC and TROJ_DLOADR.AOP which further connects to URLs to download more malicious files.
The .ZIP file is actually hosted on another domain, hxxp://{BLOCKED}-in.in.
Accessing the top domain where the .ZIP file is hosted leads to a landing page informing the user that the website is already suspended for violation of terms of service. However, it seems that directly linking to the file, regardless of the alleged suspension, ensures a successful download of any file hosted on the site.
Apparently, the suspension did not stop cybercriminals from using the website’s directory as a malware repository for other attacks. Either that, or this might only be a guise used by criminals to hide the website’s real purpose. The Smart Protection Network however, stops this threat from affecting users’ systems through blocking related malicious URLs, and detecting malicious files.
If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!
