The threat actors instrumental behind the Exorcist 2.0 ransomware are leveraging malicious advertising to redirect victims to some fake software crack sites that distribute their malware. According to Nao_Sec (security researcher), PopCash malvertising is conspiringly redirecting users from legitimate sites to fake software crack sites.
This crack site pretends to offer download links for the programs to break copyright protection on different commercial software that can be used for free. The downloaded archive contains another password-protected zip file along with a text file that contains the archive’s password.
By password-protecting the archive, the file can be downloaded without being detected by Google Safe Browsing, Microsoft SmartScreen, or installed security software.