# Malware Masquerades as Privacy Tool **[proofpoint.com/us/blog/threat-insight/malware-masquerades-privacy-tool](https://www.proofpoint.com/us/blog/threat-insight/malware-masquerades-privacy-tool)** July 1, 2021 ----- [Blog](https://www.proofpoint.com/us/blog) [Threat Insight](https://www.proofpoint.com/us/blog/threat-insight) Malware Masquerades as Privacy Tool ----- July 01, 2021 Selena Larson and Bryan Campbell ## Key Findings Threat actors created a detailed, legitimate looking “Privacy Tools” website to trick victims into downloading malware. The Privacy Tools site purports to offer file protection via encryption and decryption services but leads to the installation of multiple malware families. Smoke Loader is downloaded first as the malicious executable which drops follow-on malware including Racoon Stealer and RedLine malware. ## Overview Proofpoint researchers found a new threat enticing users to download malware by masquerading as a “Privacy Tools” service offering a tool that “encrypts” user data using a zip-like utility. The fake website is professional-looking and contains detailed descriptions of the alleged service including step-by-step instructions on how to download the privacy tools – which turn out to be malware. Proofpoint researchers identified the initial payload as Smoke Loader, a popular downloader available on easily accessible forums for buying and selling malware and used by multiple threat actors. The malware subsequently installs follow-on data-stealing malware including Raccoon Stealer and RedLine. While investigating the observed campaign, Proofpoint [identified additional related samples publicly shared by other researchers since March 2021.](https://twitter.com/pmmkowalczyk/status/1369647346997469186) The privacy theme is ironic considering the ultimate payload is designed to exfiltrate information from an infected host. However, it may appeal to users who are concerned about data sharing and privacy – a number that is likely increasing due to the recent mainstream [marketing of user-focused privacy controls from major companies like Apple.](https://www.npr.org/2021/04/26/990943261/apple-rolls-out-major-new-privacy-protections-for-iphones-and-ipads) ## Campaign Details ----- The threat actors created a website offering privacy tools for business and personal use. _Figure 1: Screenshot of “Privacy Tools” website._ Visitors are instructed to download and install Privacy Tools software via a specific section of the website. ----- _Figure 2: Screenshot of the Privacy Tools download instructions._ The compressed executables available for download purport to be file protection resources. The website actually downloads Smoke Loader, a modular downloader with multiple capabilities. Smoke Loader first appeared in 2011 and is available for purchase on criminal forums. It is commonly used by threat actors that target both individual and corporate users. Proofpoint researchers observed that the Smoke Loader infection subsequently downloads follow-on malware to conduct information-gathering activities. Identified second-stage [payloads include RedLine and Raccoon Stealer malware. Additional security researchers](https://twitter.com/pmmkowalczyk/status/1369647346997469186) noticed this activity in 2021 along with Proofpoint observations. Raccoon Stealer is an increasingly popular malware that first appeared in 2019. It was [advertised as a “malware as a service” on cybercriminal forums. It can steal credentials such](https://blog.cyberint.com/raccoon-stealer) as passwords, website cookies, credit card data, system information, and bitcoin wallet contents. RedLine Stealer is a malware that aims to steal information from browsers such as ----- login, autocomplete, passwords, and credit cards. It also collects information about the user and their system, such as the username, location, hardware configuration, and installed security software. An [update to](https://bartblaze.blogspot.com/2021/06/digital-artists-targeted-in-redline.html) [RedLine Stealer in early 2021 also added the ability to steal](https://www.proofpoint.com/uk/threat-insight/post/new-redline-stealer-distributed-using-coronavirus-themed-email-campaign) cryptocurrency cold wallets. Proofpoint does not attribute the activity to a specific group. One IP address identified in this campaign is associated with OpenNIC, a public service used for resolving certain types of domains that provides alternatives to domains not administered by ICANN. The privacythemed websites delivering Smoke Loader in this campaign were registered by ssserviceshop1@yandex[.]ru via Registrar of Domain Names REG[.]ru, LLC. Multiple other privacy-themed domains and C2 IPs were also registered with the same email address and registrar. **_[Analyst Note:Previous research published in May 2020 attributed a Smoke Loader-related](https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part3/)_** _domain registered with the same email and URL naming conventions as observed in this_ _campaign to TA505. Proofpoint cannot confirm the veracity of that reporting. There is no_ _available evidence to attribute the observed activity in the privacy-themed campaigns to_ _TA505._ ## Conclusion The use of a privacy-themed lure to download information-stealing malware is an ironic yet predatory mechanism for enticing users to download malware. The lure is likely effective as the threat actors behind the campaign appear to have taken considerable time and effort to design a legitimate-looking privacy tool. Based on additional indicators uncovered, it is likely this threat actor is conducting – and has previously conducted – similar campaigns using privacy themes and convincing lures to distribute Smoke Loader and follow-on malware. Proofpoint anticipates this type of theme and activity to continue, especially for consumers who do not have corporate privacy and security services already installed on their hosts. Indicators of Compromise (IOCs) Observed in Identified Smoke Loader Campaign **IOC** **IOC Type** **Description** privacytools[.]xyz Domain Website hosting fake privacy tool download privacytoolsforyou[.]site Domain Website hosting fake privacy tool download ----- privacmytools[.]site Domain Website hosting fake privacy tool download http://999080321newfolder1002002131service1002[.]space/ http://999080321newfolder1002002231service1002[.]space/ http://999080321newfolder3100231service1002[.]space/ http://999080321newfolder1002002431service1002[.]space/ http://999080321newfolder1002002531service1002[.]space/ http://999080321newfolder33417012425999080321[.]space/ http://999080321test125831service10020125999080321[.]space/ http://999080321test136831service10020125999080321[.]space/ http://999080321test147831service10020125999080321[.]space/ http://999080321test146831service10020125999080321[.]space/ http://999080321test134831service10020125999080321[.]space/ http://999080321est213531service1002012425999080321[.]ru/ URL C2 URL C2 URL C2 URL C2 URL C2 URL C2 URL C2 URL C2 URL C2 URL C2 URL C2 URL C2 ----- http://999080321yes1t3481service10020125999080321[.]ru/ http://999080321test13561service10020125999080321[.]su/ http://999080321test14781service10020125999080321[.]info/ http://999080321test13461service10020125999080321[.]net/ http://999080321test15671service10020125999080321[.]tech/ http://999080321test12671service10020125999080321[.]online/ http://999080321utest1341service10020125999080321[.]ru/ http://999080321uest71service100201dom25999080321[.]ru/ http://999080321test61service10020125999080321[.]website/ http://999080321test51service10020125999080321[.]xyz/ http://999080321test41service100201pro25999080321[.]ru/ http://999080321yest31service100201rus25999080321[.]ru/ http://999080321rest21service10020125999080321[.]eu/ URL C2 URL C2 URL C2 URL C2 URL C2 URL C2 URL C2 URL C2 URL C2 URL C2 URL C2 URL C2 URL C2 ----- http://999080321test11service10020125999080321[.]press/ http://999080321newfolder4561service10020125999080321[.]ru/ http://999080321rustest213service10020125999080321[.]ru/ http://999080321test281service10020125999080321[.]ru/ http://999080321test261service10020125999080321[.]space/ http://999080321yomtest251service10020125999080321[.]ru/ http://999080321yirtest231service10020125999080321[.]ru/ http://999080321test391service10020125999080321[.]ru/ http://999080321test481service10020125999080321[.]ru/ http://999080321test571service10020125999080321[.]pro/ http://999080321test461service10020125999080321[.]host/ http://999080321test231service10020125999080321[.]fun/ http://999080321tostest371service10020125999080321[.]ru/ URL C2 URL C2 URL C2 URL C2 URL C2 URL C2 URL C2 URL C2 URL C2 URL C2 URL C2 URL C2 URL C2 ----- http://999080321oopoest361service10020125999080321[.]ru/ http://999080321newfolder481service10020125999080321[.]ru/ http://999080321newfolder471service10020125999080321[.]ru/ http://999080321newfolder351service10020125999080321[.]ru/ http://999080321newfolder241service10020125999080321[.]ru/ http://999080321newfolder1002service100201shop25999080321[.]ru/ http://999080321newfolder1002service100201life25999080321[.]ru/ http://999080321newfolder1002service100201blog25999080321[.]ru/ http://999080321megatest251service10020125999080321[.]ru/ http://999080321infotest341service10020125999080321[.]ru/ http://999080321besttest971service10020125999080321[.]ru/ http://999080321shoptest871service10020125999080321[.]ru/ http://999080321kupitest451service10020125999080321[.]ru/ URL C2 URL C2 URL C2 URL C2 URL C2 URL C2 URL C2 URL C2 URL C2 URL C2 URL C2 URL C2 URL C2 ----- http://999080321proftest981service10020125999080321[.]ru/ http://999080321clubtest561service10020125999080321[.]ru/ http://999080321mytest151service1002012425999080321[.]ru/ http://999080321newfoldert161service1002012425999080321[.]ru/ http://999080321newfolder100251service25999080321[.]ru/ http://999080321newfolder100241service10020999080321[.]ru/ http://999080321newfolder100231service1022020[.]ru/ http://999080321newfolder100221service1022020[.]ru/ http://999080321newfolder1002012525999080321[.]ml/ http://999080321newfolder1002012625999080321[.]ga/ http://999080321newfolder1002012725999080321[.]cf/ http://999080321newfolder1002012825999080321[.]gq/ http://999080321newfolder1002012925999080321[.]com/ URL C2 URL C2 URL C2 URL C2 URL C2 URL C2 URL C2 URL C2 URL C2 URL C2 URL C2 URL C2 URL C2 ----- http://999080321newfolder100201302599908032135[.]site/ http://999080321newfolder100201312599908032135[.]site/ http://999080321newfolder100201322599908032135[.]site/ http://999080321newfolder100201332599908032135[.]site/ http://999080321newfolder100201342599908032135[.]site/ http://999080321newfolder100201352599908032135[.]site/ http://999080321newfolder100201362599908032135[.]site/ http://999080321newfolder100201372599908032135[.]site/ http://999080321newfolder100201382599908032135[.]site/ http://999080321newfolder100201392599908032135[.]site/ http://999080321newfolder100201402599908032135[.]site/ http://999080321newfolder100201412599908032135[.]site/ http://999080321newfolder100201422599908032135[.]site/ URL C2 URL C2 URL C2 URL C2 URL C2 URL C2 URL C2 URL C2 URL C2 URL C2 URL C2 URL C2 URL C2 ----- http://999080321newfolder100201432599908032135[.]site/ http://999080321newfolder100201442599908032135[.]site/ http://999080321newfolder100201452599908032135[.]site/ http://999080321newfolder100201462599908032135[.]site/ http://999080321newfolder100201472599908032135[.]site/ http://999080321newfolder100201482599908032135[.]site/ http://999080321newfolder100201492599908032135[.]site/ http://999080321newfolder100201502599908032135[.]site/ http://999080321newfolder100201512599908032135[.]site/ http://999080321newfolder100201522599908032135[.]site/ http://999080321newfolder100201532599908032135[.]site/ http://999080321newfolder100201542599908032135[.]site/ http://999080321newfolder100201552599908032135[.]site/ URL C2 URL C2 URL C2 URL C2 URL C2 URL C2 URL C2 URL C2 URL C2 URL C2 URL C2 URL C2 URL C2 ----- 192[.]71[.]245[.]208 IP DNS 91[.]217[.]137[.]37 IP DNS 172[.]104[.]136[.]243 IP DNS 176[.]126[.]70[.]119 IP DNS 94[.]103[.]153[.]176 IP DNS 161[.]97[.]219[.]84 IP DNS 207[.]192[.]71[.]13 IP DNS 188[.]226[.]146[.]136 IP DNS 178[.]63[.]116[.]152 IP DNS 13[.]239[.]157[.]177 IP DNS 0xa8e21be SendRC4Key RSA Encryption Key 0x8fc93161 RecvRC4Key RSA Encryption Key Subscribe to the Proofpoint Blog -----