Copycat criminals are abusing the Malwarebytes brand in a malvertising campaign.
This pretend, copycat Malwarebytes website was arrange by cybercriminals to distribute malware in a malvertising marketing campaign. We study the marketing campaign—and the criminals’ motives.
Whereas exploit equipment exercise has been pretty quiet for a while now, we just lately found a risk actor making a copycat—pretend—Malwarebytes web site that was used as a gate to the Fallout EK, which distributes the Raccoon stealer.
The few malvertising campaigns that stay are sometimes discovered on second- and third-tier grownup websites, resulting in the Fallout or RIG exploit kits, as a majority of risk actors have moved on to different distribution vectors. Nonetheless, we imagine this fake Malwarebytes malvertising marketing campaign might be payback for our continued work with advert networks to trace, report, and dismantle such assaults.
On this weblog, we break down the assault and doable motives.
Stolen template contains malicious code
Just a few days in the past, we have been alerted a couple of copycat area title that abused our model. The area malwarebytes-free[.]com was registered on March 29 by way of REGISTRAR OF DOMAIN NAMES REG.RU LLC and is at the moment hosted in Russia at 173.192.139[.]27.
Analyzing the supply code, we will verify that somebody stole the content material from our authentic website however added one thing further.
An infection chain for copycat marketing campaign
This pretend Malwarebytes website is actively used as a gate in a malvertising marketing campaign by way of the PopCash advert community, which we contacted to report the malicious advertiser.
Fallout EK is without doubt one of the newer (or maybe final) exploit kits that’s nonetheless lively within the wild. On this sequence, it’s used to launch the Raccoon stealer onto sufferer machines.
A motive behind decoy pages
The risk actor behind this marketing campaign could also be tied to others we’ve been monitoring for just a few months. They’ve used related pretend copycat templates earlier than that act as gates. For instance, this pretend Cloudflare area (popcashexhange[.]xyz) additionally performs on the PopCash title:
There isn’t a query that safety firms working with suppliers and advert networks are hindering efforts and cash spent by cybercriminals. We’re undecided if we should always take this plagiarism as a praise or not.
In case you are an present Malwarebytes person, you have been already protected from this malvertising marketing campaign, due to our anti-exploit safety.
Copycat techniques have lengthy been utilized by scammers and different criminals to dupe on-line and offline victims. As at all times, it’s higher to double-check the id of the web site you might be visiting and, if doubtful, entry it straight both by punching within the URL or by way of bookmarked web page/tab.