High
Recently, a threat actor created a fake Malwarebytes website that was used as a gate to the Fallout Exploit Kit, which distributes the Raccoon stealer. The domain malwarebytes-free[.]com was registered on March 29 via REGISTRAR OF DOMAIN NAMES REG.RU LLC and is currently hosted in Russia at 173.192.139[.]27. Below is an image from Malwarebytes lab that shows the fake copied website. It was distributed via malvertising.
As per Malwarebytes lab’s analysis, apart from stolen content, an addition was made to the fake website; a JavaScript snippet that checks browsers to redirect Internet Explorer users to a malicious URL belonging to the Fallout exploit kit. This fake Malwarebytes site is actively used as a gate in a malvertising campaign via the PopCash ad network, used to launch the Raccoon stealer onto victim machines. Some of the IoCs are also linked to ransomware, indicating their frequent usage in a variety of malicious campaigns.
Domain Name
malwarebytes-free[.]com
Source IP