Threat Management, Malware, Network Security

Malvertising campaign spoofs Malwarebytes website to deliver Raccoon info-stealer

Malicious actors created a fake webpage that impersonates cybersecurity company Malwarebytes and were using it as a gateway in a malvertising campaign designed to infect victims with the Raccoon information stealer.

The malvertisements, which likely appeared on adult websites, automatically redirected site visitors to the fake page without any customer interaction, according to the Malwarebytes Threat Intelligence team. The malicious page, located at malwarebytes-free[.]com, in turn routes victims to the Fallout Exploit Kit, which enables the Raccoon infection.

The malicious domain was registered on March 29 and is hosted in Russia, Malwarebytes reported in a Tuesday blog post. The fake website announces the availability of Malwarebytes 4.0 for Windows, and purports to offer a free download. The company believes the threat actor may be tied to similar campaigns from the past few months that used similar copycat templates of websites as gates.

"Examining the source code, we can confirm that someone stole the content from our original site but added something extra," the blog post states. "A JavaScript snippet checks which kind of browser you are running, and if it happens to be Internet Explorer, you are redirected to a malicious URL belonging to the Fallout exploit kit."

"[W]e believe this faux Malwarebytes malvertising campaign could be payback for our continued work with ad networks to track, report and dismantle such attacks," the report continues.

The malvertisements themselves were delivered via the PopCash ad network, Malwarebytes says.

The scheme observed here isn't as common as it once was, the Malwarebytes Threat Intelligence team told SC Media. "Malvertising as a whole continues to be a big problem, but the types of payloads we are seeing have changed in recent years," he said.

"Specifically, malvertising leading to drive-by download attacks is much lower compared to other categories such as tech support scams, fake software updates, etc. The reasoning behind this decrease in the use of malvertising and exploit kits is due to a much smaller market share for the Internet Explorer browser than in years past. Unless malware authors develop new exploits for Chromium-based browsers, exploit kits will likely slowly vanish."

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.