Malicious actors created a fake webpage that impersonates cybersecurity company Malwarebytes and were using it as a gateway in a malvertising campaign designed to infect victims with the Raccoon information stealer.
The malvertisements, which likely appeared on adult websites, automatically redirected site visitors to the fake page without any customer interaction, according to the Malwarebytes Threat Intelligence team. The malicious page, located at malwarebytes-free[.]com, in turn routes victims to the Fallout Exploit Kit, which enables the Raccoon infection.
The malicious domain was registered on March 29 and is hosted in Russia, Malwarebytes reported in a Tuesday blog post. The fake website announces the availability of Malwarebytes 4.0 for Windows, and purports to offer a free download. The company believes the threat actor may be tied to similar campaigns from the past few months that used similar copycat templates of websites as gates.
"Examining the source code, we can confirm that someone stole the content from our original site but added something extra," the blog post states. "A JavaScript snippet checks which kind of browser you are running, and if it happens to be Internet Explorer, you are redirected to a malicious URL belonging to the Fallout exploit kit."
"[W]e believe this faux Malwarebytes malvertising campaign could be payback for our continued work with ad networks to track, report and dismantle such attacks," the report continues.
The malvertisements themselves were delivered via the PopCash ad network, Malwarebytes says.
The scheme observed here isn't as common as it once was, the Malwarebytes Threat Intelligence team told SC Media. "Malvertising as a whole continues to be a big problem, but the types of payloads we are seeing have changed in recent years," he said.
"Specifically, malvertising leading to drive-by download attacks is much lower compared to other categories such as tech support scams, fake software updates, etc. The reasoning behind this decrease in the use of malvertising and exploit kits is due to a much smaller market share for the Internet Explorer browser than in years past. Unless malware authors develop new exploits for Chromium-based browsers, exploit kits will likely slowly vanish."
