Beware: Fake 7-Zip Site Pushes Malware-Laden Installer
▼ Summary
– A fake website impersonating the legitimate 7-Zip project is distributing a trojanized installer that turns a user’s computer into a residential proxy node for malicious traffic routing.
– The malicious installer, which still provides the real 7-Zip tool, drops files that create a persistent system service and modifies firewall rules to allow network connections.
– The malware profiles the infected system and sends the data to a remote server, with its primary function being to enroll the host as a proxy node using obfuscated communications.
– This campaign is broader than just 7-Zip, also using trojanized installers for other popular software like HolaVPN, TikTok, WhatsApp, and Wire VPN.
– Users are advised to avoid downloading software from links in videos or search ads and instead bookmark official download sites to prevent infection.
A malicious website posing as the official source for the popular 7-Zip archiving software is actively distributing a trojanized installer. This fake installer covertly transforms a user’s computer into a residential proxy node, allowing attackers to route internet traffic through the victim’s connection. This tactic is commonly used to evade security blocks and conduct malicious activities like credential theft and phishing campaigns.
The fraudulent site, located at 7zip[.]com, was identified after a user reported downloading a harmful file while following a YouTube tutorial. The site cleverly mimics the look and text of the legitimate 7-Zip project at 7-zip.org, making it easy for unsuspecting visitors to be deceived. Security researchers at Malwarebytes analyzed the installer and found it was digitally signed with a now-revoked certificate.
While the installer does provide a functional version of the 7-Zip program, it secretly deploys three malicious components into the system. These files are placed in a specific Windows directory and configured to run automatically as a system service. The malware also modifies firewall rules to permit unrestricted network access for these files.
A key function of this threat is to profile the infected computer, gathering detailed information about its hardware and network setup. This data is then transmitted to a remote logging service. The primary goal is not to act as a traditional backdoor, but to enroll the compromised machine into a proxy network. This allows third parties to route their web traffic through the victim’s IP address, masking the origin of potentially malicious actions.
The malicious software communicates with a rotating set of command-and-control servers, using obfuscated messages to hide its activity. It also employs advanced techniques like DNS-over-HTTPS to avoid detection by network monitoring tools. Furthermore, the malware contains checks to detect if it is running in a virtual machine or under analysis, a common tactic to hinder security research.
This campaign extends beyond just impersonating 7-Zip. Investigators have linked the same threat actor to trojanized installers for other well-known applications, including HolaVPN, TikTok, WhatsApp, and Wire VPN. The infrastructure uses themed domain names and leverages services like Cloudflare to obscure traffic.
To protect against such threats, users should be extremely cautious when downloading software. Avoid clicking on links from video tutorials or promoted search results. The safest practice is to directly bookmark and use the official download portals for any software you regularly install. Always verify the website’s URL matches the legitimate project’s known address before proceeding with any download.
(Source: Bleeping Computer)