{"id":19294,"date":"2022-06-08T14:10:03","date_gmt":"2022-06-08T22:10:03","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2022\/06\/08\/news-13027\/"},"modified":"2022-06-08T14:10:03","modified_gmt":"2022-06-08T22:10:03","slug":"news-13027","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2022\/06\/08\/news-13027\/","title":{"rendered":"MakeMoney malvertising campaign adds fake update template"},"content":{"rendered":"

Credit to Author: Threat Intelligence Team| Date: Wed, 08 Jun 2022 21:33:04 +0000<\/strong><\/p>\n

Malware authors and distributors are following the ebbs and flow of the threat landscape. One campaign we have tracked for a numbers of years recently introduced a new scheme to possibly completely move away from drive-by downloads via exploit kit.<\/p>\n

In this quick blog post, we will look at this new attack chain and link it with previous activity from what we believe are the same threat actors.<\/p>\n

FakeUpdates (SocGholish) lookalike<\/h2>\n

Our researcher Fillip Mouliatis identified a malvertising campaign leading to a fake Firefox update. The template is strongly inspired from similar schemes and in particular the one distributed by the FakeUpdates<\/a> (SocGholish<\/a>) threat actors.<\/p>\n

\n
\"\"<\/a><\/figure>\n<\/div>\n

However distribution and implementation are very different. Unlike FakeUpdates which uses compromised websites to push their template, this one is driven via malvertising. Please note the IP addresses involved in the redirection infrastructure as we will come back to them in a moment.<\/p>\n

\n
\"\"<\/a><\/figure>\n<\/div>\n

The template itself is much more simplified and appears to be in development with a fake Firefox update that contains a couple of scripts that pull down an encrypted payload. The initial executable consists of a loader which retrieves a piece of Adware detected as BrowserAssistant. This payload was seen before<\/a> and interestingly through a similar malvertising campaign involving the RIG exploit kit.<\/p>\n

MakeMoney connection<\/h2>\n

The malvertising infrastructure is essentially the same one that was used in numerous drive-by campaigns with exploit kits since late 2019. For some reason the threat actors are reusing the same servers in Russia and naming their malvertising gates after different ad networks.<\/p>\n

Security researcher @na0_sec<\/a> saw the “MakeMoney gate”, named after the domain makemoneywithus[.]work (188.225.75.54<\/strong>), redirect the Fallout exploit kit<\/a> in October 2020, although it mostly used RIG EK<\/a> for several years. Probably the earliest instance of this threat group was seen in December 2019<\/a> via the gate gettime[.]xyz (185.220.35.26)<\/strong>.<\/p>\n

\n
\n
\n

#RigEK<\/a> -> #KPOT<\/a>https:\/\/t.co\/90qLX09BN1<\/a> pic.twitter.com\/wYzgr7VqFE<\/a><\/p>\n

— nao_sec (@nao_sec) December 31, 2019<\/a><\/p><\/blockquote>\n