Malvertisers rickrolling security researchers...
softwareinteractivo[.]com
winsccp[.]com
protemaq[.]com/wp-content/update/iso/6[.]1/tusto/WinSCP-6[.]1-Setup[.]iso
https://www.virustotal.com/gui/file/2eb2ef7a562145a0faf3c82f439221908adfcc784022a64e5bb17a432f4a8a91
RIG Exploit Kit
188.227.58[.]100
Payload: Raccoon Stealer
C2: 5.252.177[.]36
Some next level cloaking from this malvertising group.
Payload is RedLine Stealer:
cdn[.]discordapp[.]com/attachments/1067816024541507666/1116463363891933204/AnyDesk.zip
#Malvertising targeting Cisco AnyConnect dropping Python Meterpreter payload.
mypondsoftware[.]com/cisco/anyconnect/file.php
trafcon[.]co/wp-content/plug/des/sus/cisco/anyconnect/cisco-anyconnect-4.iso
C2: 141.98.6[.]95
Recently I spent about a week focusing on popular Google search terms and discovered that brand impersonation via malicious ads is still very much a problem.
I've documented my findings and some suggestions in this blog post: https://www.malwarebytes.com/blog/threat-intelligence/2023/05/malvertising-its-a-jungle-out-there
#Malvertising pushing fake WinSCP installer.
wincspone[.]com
wincsp[.]pro
Payload is Redline Stealer with C2: 95.217.39.93:32312 via embedded PowerShell
I wrote a blog about a #malvertising campaign leading to a fake system update page.
In reality, it is the Aurora stealer packaged inside the stealthy Invalid Printer loader.
Template targeting German store from the Kritec skimmer
hapermob[.]shop
xiloditg[.]yachts/mage-cache-loader-v2-4.min.js
Malicious WinSCP installer distributed via Google ad (#malvertising).
Cloaking ad domain: putmastering[.]com
Fake WinSCP site:
winscpn[.]com
C2 callbacks:
104.234.10[.]207:7931/itrdd/kcrs/file1.txt
104.234.10[.]207:7931/itrdd/kcrs/file2.txt
