Copycat criminals are abusing the Malwarebytes brand in a malvertising campaign.

Copycat criminals are abusing the Malwarebytes brand in a malvertising campaign.

This pretend, copycat Malwarebytes website was arrange by cybercriminals to distribute malware in a malvertising marketing campaign. We study the marketing campaign—and the criminals’ motives.

Whereas exploit equipment exercise has been pretty quiet for a while now, we just lately found a risk actor making a copycat—pretend—Malwarebytes web site that was used as a gate to the Fallout EK, which distributes the Raccoon stealer.

The few malvertising campaigns that stay are sometimes discovered on second- and third-tier grownup websites, resulting in the Fallout or RIG exploit kits, as a majority of risk actors have moved on to different distribution vectors. Nonetheless, we imagine this fake Malwarebytes malvertising marketing campaign might be payback for our continued work with advert networks to trace, report, and dismantle such assaults.

On this weblog, we break down the assault and doable motives.

Stolen template contains malicious code

Just a few days in the past, we have been alerted a couple of copycat area title that abused our model. The area malwarebytes-free[.]com was registered on March 29 by way of REGISTRAR OF DOMAIN NAMES REG.RU LLC and is at the moment hosted in Russia at 173.192.139[.]27.

Copycat criminals are abusing the Malwarebytes brand in a malvertising campaign.

Analyzing the supply code, we will verify that somebody stole the content material from our authentic website however added one thing further.

A JavaScript snippet checks which type of browser you might be working, and if it occurs to be Web Explorer, you might be redirected to a malicious URL belonging to the Fallout exploit equipment.

An infection chain for copycat marketing campaign

This pretend Malwarebytes website is actively used as a gate in a malvertising marketing campaign by way of the PopCash advert community, which we contacted to report the malicious advertiser.

Copycat criminals are abusing the Malwarebytes brand in a malvertising campaign.

Fallout EK is without doubt one of the newer (or maybe final) exploit kits that’s nonetheless lively within the wild. On this sequence, it’s used to launch the Raccoon stealer onto sufferer machines.

A motive behind decoy pages

The risk actor behind this marketing campaign could also be tied to others we’ve been monitoring for just a few months. They’ve used related pretend copycat templates earlier than that act as gates. For instance, this pretend Cloudflare area (popcashexhange[.]xyz) additionally performs on the PopCash title:

Copycat criminals are abusing the Malwarebytes brand in a malvertising campaign.

There isn’t a query that safety firms working with suppliers and advert networks are hindering efforts and cash spent by cybercriminals. We’re undecided if we should always take this plagiarism as a praise or not.

In case you are an present Malwarebytes person, you have been already protected from this malvertising marketing campaign, due to our anti-exploit safety.

Copycat criminals are abusing the Malwarebytes brand in a malvertising campaign.

Copycat techniques have lengthy been utilized by scammers and different criminals to dupe on-line and offline victims. As at all times, it’s higher to double-check the id of the web site you might be visiting and, if doubtful, entry it straight both by punching within the URL or by way of bookmarked web page/tab.

Indicators of compromise

Faux Malwarebytes website

malwarebytes-free[.]com
31.31.198[.]161

Fallout EK

134.209.86[.]129

Raccoon Stealer

78a90f2efa2fdd54e3e1ed54ee9a18f1b91d4ad9faedabd50ec3a8bb7aa5e330
34.89.159[.]33

malwarelabs,latest malware blogs,malwarebytes malware lookup,malwarebytes quarterly report,blog on malware,malwarebytes threat intelligence,blog malware bytes,new malware iocs

More Stories
Bluetooth Vulnerability Allows an attacker to impersonate previously paired devices.