Malware authors and distributors are following the ebbs and flow of the threat landscape. One campaign we have tracked for a numbers of years recently introduced a new scheme to possibly completely move away from drive-by downloads via exploit kit.
In this quick blog post, we will look at this new attack chain and link it with previous activity from what we believe are the same threat actors.
FakeUpdates (SocGholish) lookalike
Our researcher Fillip Mouliatis identified a malvertising campaign leading to a fake Firefox update. The template is strongly inspired from similar schemes and in particular the one distributed by the FakeUpdates(SocGholish) threat actors.
However distribution and implementation are very different. Unlike FakeUpdates which uses compromised websites to push their template, this one is driven via malvertising. Please note the IP addresses involved in the redirection infrastructure as we will come back to them in a moment.
The template itself is much more simplified and appears to be in development with a fake Firefox update that contains a couple of scripts that pull down an encrypted payload. The initial executable consists of a loader which retrieves a piece of Adware detected as BrowserAssistant. This payload was seen beforeand interestingly through a similar malvertising campaign involving the RIG exploit kit.
The malvertising infrastructure is essentially the same one that was used in numerous drive-by campaigns with exploit kits since late 2019. For some reason the threat actors are reusing the same servers in Russia and naming their malvertising gates after different ad networks.
Security researcher @na0_secsaw the "MakeMoney gate", named after the domain makemoneywithus[.]work (126.96.36.199), redirect to the Fallout exploit kitin October 2020, although it mostly used RIG EKfor several years. Probably the earliest instance of this threat group was seen in December 2019via the gate gettime[.]xyz (188.8.131.52).
Looking at this infrastructure shows that the group reused a few servers quite predictably during these years between AS59504 vpsville and AS9123 TimeWeb. For example, gettime[.]xyz was hosted on the same server (184.108.40.206) as makemoneyeazzywith[.]me. Staying with the MakeMoney theme, we see makemoneywith[.]us on 188.225.75[.]54. That server was likely hosting a Keitaro TDS given such hostnames as keitarotrafficdelivery[.]xyz.
There is also activity on 220.127.116.11, 18.104.22.168and 22.214.171.124hosting a number of impersonation hostnames such as magicpropeller[.]xyz (PropellerAds), magicpopcash[.]xyz (PopCash).
We find it interesting that the same threat actors remained faithful to RIG EK for so long during a period where exploit kits were going out of business. They also seemed to poke fun at the same ad networks they were abusing, unless the choice for names associated with their gates was motivated by sorting out their upstream traffic.
We don't believe we have seen the last of this threat group. Having said that, their latest social engineering scheme could use some improvements to remove some blatant typos while their server-side infrastructure could be tidied up.
Indicators of Compromise
IP addresses (malvertising domains, gates)
IP addresses (fake template)
Domains (malvertising domains, gates)