Cracked copies of Microsoft Office and Adobe Photoshop steal your session cookies, browser history, crypto-coins

It's like the 2000s all over again, sighs Bitdefender


Cracked copies of Microsoft Office and Adobe Photoshop are stealing browser session cookies and Monero cryptocurrency wallets from tightwads who install the pirated software, Bitdefender has warned.

As many Reg readers will no doubt be aware, cracked software is a legitimate application that has had its registration or licensing features removed. Often distributed through BitTorrent in the days of yore, cracked software (also known as warez) appeal mainly to freeloaders who are happy to use a particular suite without paying for a licence.

With Microsoft Office and Adobe Photoshop being two of the most popular software suites in their niches, cracked versions were always going to be popular.

Those cracks come with a price, though: Bitdefender discovered that certain versions of both suites were being distributed with malware that stole browser session cookies (or in the case of Firefox, the user's entire profile history), hijacked Monero cryptocurrency wallets, and exfiltrated other data via BitTorrent, having first opened a backdoor on the target machine and turned off its firewall.

"Once executed, the crack drops an instance of ncat.exe (a legitimate tool to send raw data over the network) as well as a TOR proxy," said Bitdefender's Bogdan Botezatu, director of threat research and reporting and security researcher Eduard Budaca in a blog post. A batch file, chknap.bat, was also bundled.

"The tools work together to create a powerful backdoor that communicates through TOR with its command and control center: the ncat binary uses the listening port of the TOR proxy ('--proxy 127.0.0.1:9075') and uses the standard '--exec' parameter, which allows all input from the client to be sent to the application and responses to be sent back to the client over the socket (reverse shell behavior)," said the researchers.

Botezatu, told The Register: "The operators behind this attack take quite some time to analyse the environment they have compromised and decide what is worth stealing. We presume that exfiltration of the Firefox profile directory was opportunistic rather than targeted and that attackers would go for any other browser installed on the device."

Pirates of the dodge-the-fee-an

Jake Moore, a cybersecurity consultant at infosec biz ESET, told us: "As illegal as cracked software is, it is still very much commonplace on both home and work devices which makes this even more worrisome. This rather impressive malware may even hide in plain sight as many cracked versions of software come with protection notifications from their antivirus warning their users of the risks.

"Pirated software is never the way to go, however tempting it may be, as the risks tend to always outweigh the benefits."

Reg readers who are long of tooth and grey of hair might recall our coverage of the warez scene back in the 2000s, which saw various software pirates being arrested and handed prison terms.

In the days before as-a-service business models in the cloud were viable, vendors were entirely reliant on physical media being distributed to end users containing the entire program. Copy protection was an immediate and popular target for crackers, leading to illegitimate copies of otherwise fully functional software being sold for way below the normal asking price.

Licence key generators were another popular line of business for pirates, with ESET's Moore observing that they're often flagged as malware (because they, er, contain baked-in malware) and are therefore quarantined by antivirus, "but due to the user choosing to side with their own knowledge and overriding such warnings" bad things tend to happen to systems whose users trusted such nefarious things.

The rise of aaS produce has squashed, if not wiped out, demand for warez; big vendors have become more adept at ensuring their products only work in the presence of an internet connection where they can phone home to an activation server. ®


Biting the hand that feeds IT © 1998–2021