• Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Press Release
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – Covid-19 Malicious URLs
April 13, 2020
Rewterz Threat Alert – WooCommerce Falling Victim to Fresh Card-Skimmer Malware
April 13, 2020

Rewterz Threat Alert – Malvertising Campaign Delivering Fallout Exploit Kit

April 13, 2020

Severity

High

Analysis Summary

Recently, a threat actor created a fake Malwarebytes website that was used as a gate to the Fallout Exploit Kit, which distributes the Raccoon stealer. The domain malwarebytes-free[.]com was registered on March 29 via REGISTRAR OF DOMAIN NAMES REG.RU LLC and is currently hosted in Russia at 173.192.139[.]27. Below is an image from Malwarebytes lab that shows the fake copied website. It was distributed via malvertising. 

fakepage.png


As per Malwarebytes lab’s analysis, apart from stolen content, an addition was made to the fake website; a JavaScript snippet that checks browsers to redirect Internet Explorer users to a malicious URL belonging to the Fallout exploit kit. This fake Malwarebytes site is actively used as a gate in a malvertising campaign via the PopCash ad network, used to launch the Raccoon stealer onto victim machines. Some of the IoCs are also linked to ransomware, indicating their frequent usage in a variety of malicious campaigns. 

Impact

  • Credential theft
  • Theft of sensitive information

Indicators of Compromise

Domain Name

malwarebytes-free[.]com

Source IP

  • 31[.]31[.]198[.]161
  • 134[.]209[.]86[.]129
  • 34[.]89[.]159[.]33
  • 173[.]192[.]139[.]27

Remediation

  • Block the threat indicators at their respective controls.
  • With a surge in campaigns impersonating legitimate organizations, always double-check the identity of the website you are visiting.
  • Where possible, type the URL or use bookmarked page/tab.
  • Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.