Fake Malwarebytes Site Used by Malvertising Attack to Spread Raccoon | Tripwire

Fake Malwarebytes Site Used by Malvertising Attack to Spread Raccoon

Posted on April 8, 2020
New Microsoft Spear-Phishing Attack Uses Exact Domain Spoofing Tactic
A malvertising campaign used a copycat website for anti-malware software provider Malwarebytes to distribute the Raccoon infostealer. Malwarebytes learned of the campaign when someone notified the security firm that someone was abusing its brand using the lookalike domain "malwarebytes-free[.]com." Registered on March 29 via REGISTRAR OF DOMAIN NAMES REG.RU LLC, this domain was hosted in Russia at 173.192.139[.]27 at the time of discovery. Researchers at Malwarebytes subsequently examined the source code of the fake website. Through these efforts, they confirmed that someone had stolen the source code of the firm's website. Those actors had then injected a JavaScript snipped into this code that specifically redirected visitors using Internet Explorer to a malicious URL hosting the Fallout exploit kit.
fakepage.png
The fake Malwarebytes website and a view of the code used to redirect visitors to Fallout EK (Source: Malwarebytes) The Fallout exploit code isn't new to the security community. Back in October 2018, for instance, researchers observed that Fallout had become a new distribution method for Kraken ransomware. In this newest campaign, Fallout launched samples of the Raccoon infostealer on a victim's machine. The threat intelligence team at Malwarebytes posited that the individuals behind this campaign could have been some of the same malicious actors whom they've been tracking for months. The security firm observed that some of those attackers had even created other lookalike websites to serve as malvertising gates. With that said, the anti-malware provider admitted in its research that it didn't know how it should respond to attackers using a lookalike website:
There is no question that security companies working with providers and ad networks are hindering efforts and money spent by cybercriminals. We’re not sure if we should take this plagiarism as a compliment or not.
Even so, that didn't stop the firm from contacting the PopCash ad network and reporting the malicious advertiser in order to terminate this malvertising campaign.
Join over 20,000 IT security pros who get our top stories delivered to their inbox every week!