Someone is targeting web denizens with a malicious, copycat Malwarebytes website, which serves up the Raccoon information stealer malware to unsuspecting visitors.
According to the security firm itself, the attackers set up the domain “malwarebytes-free[.]com” with a domain registrar in Russia in late March. “We don’t expect to hear from either the registrar or hosting provider,” Malwarebytes researchers told Threatpost, noting that the website is still active.
“Examining the source code, we can confirm that someone stole the content from our original site but added something extra,” according to a posting from the security firm this week. “A JavaScript snippet checks which kind of browser you are running, and if it happens to be Internet Explorer, you are redirected to a malicious URL belonging to the Fallout exploit kit.”
Further, the fake Malwarebytes site is being used in a malvertising campaign via the PopCash ad network, researchers added. Fake Malwarebytes ads served up by the PopCash network on adult websites take visitors to the watering-hole site. The firm said that it contacted PopCash to report the malicious advertisements.
Whether they arrive via organic means or via an ad, once visitors hit the site, the Fallout exploit kit (EK) is used to infect vulnerable machines with the Raccoon data-harvesting malware. Raccoon scours systems for credit card information, cryptocurrency wallets, passwords, emails, cookies, system information and data from popular browsers (including saved credit-card info, URLs, usernames and passwords), and then sends that data back to its operator.
The fake site. Click to enlarge.
Raccoon is a relatively new malware that is under active development by the hackers behind it, according to a previous analysis from Cofense. It’s sold on underground forums as a malware-as-a-service offering in both Russian and English, and includes around-the-clock customer support.
First spotted in April of 2019, Raccoon has been leveraged in several different campaigns since then. Cofense for instance saw a campaign in November where scurried past Microsoft and Symantec anti-spam messaging gateways, by using .IMG files hosted on a hacker-controlled Dropbox account.
According to additional research, the malware had infected hundreds of thousands of Windows systems as of last October.
Interestingly, the Malwarebytes analysts also found that the operators of the fake-site campaign appear to have tried similar tactics with other security firms – notably Cloudflare. That effort used a similar copycat site that was disseminated via malvertising.
“We believe this may be the same threat actor already involved in ongoing adult malvertising campaigns and using the Fallout exploit kit,” researchers at Malwarebytes told Threatpost. “The attacks are not sophisticated but the spread among various ad platforms is fairly wide. Typically we see malvertising via one or two ad networks simultaneously, but this threat actor has diversified his traffic leads.”
Malwarebytes researchers believe that the targeting of security firms could be a deliberate tactic meant as payback for revealing malvertising activity.
“The few malvertising campaigns that remain are often found on second- and third-tier adult sites, leading to the Fallout or RIG exploit kits, as a majority of threat actors have moved on to other distribution vectors,” Malwarebytes said in its post. “However, we believe this faux Malwarebytes malvertising campaign could be payback for our continued work with ad networks to track, report, and dismantle such attacks.”
Users can protect themselves by keeping their systems fully patched, and by double-checking the identity of any website before clicking on an ad or a link.
Worried about your cloud security in the work-from-home era? On April 23 at 2 p.m. ET, join DivvyCloud and Threatpost for a FREE webinar, A Practical Guide to Securing the Cloud in the Face of Crisis. Get exclusive research insights and critical, advanced takeaways on how to avoid cloud disruption and chaos in the face of COVID-19 – and during all times of crisis. Please register here for this sponsored webinar.
