Rewterz Threat Alert – Covid-19 Malicious URLs
April 13, 2020Rewterz Threat Alert – WooCommerce Falling Victim to Fresh Card-Skimmer Malware
April 13, 2020Severity
High
Analysis Summary
Recently, a threat actor created a fake Malwarebytes website that was used as a gate to the Fallout Exploit Kit, which distributes the Raccoon stealer. The domain malwarebytes-free[.]com was registered on March 29 via REGISTRAR OF DOMAIN NAMES REG.RU LLC and is currently hosted in Russia at 173.192.139[.]27. Below is an image from Malwarebytes lab that shows the fake copied website. It was distributed via malvertising.
As per Malwarebytes lab’s analysis, apart from stolen content, an addition was made to the fake website; a JavaScript snippet that checks browsers to redirect Internet Explorer users to a malicious URL belonging to the Fallout exploit kit. This fake Malwarebytes site is actively used as a gate in a malvertising campaign via the PopCash ad network, used to launch the Raccoon stealer onto victim machines. Some of the IoCs are also linked to ransomware, indicating their frequent usage in a variety of malicious campaigns.
Impact
- Credential theft
- Theft of sensitive information
Indicators of Compromise
Domain Name
malwarebytes-free[.]com
Source IP
- 31[.]31[.]198[.]161
- 134[.]209[.]86[.]129
- 34[.]89[.]159[.]33
- 173[.]192[.]139[.]27
Remediation
- Block the threat indicators at their respective controls.
- With a surge in campaigns impersonating legitimate organizations, always double-check the identity of the website you are visiting.
- Where possible, type the URL or use bookmarked page/tab.