Adult Sites Were Targeted Via Fake Java Update – Malsmoke

Home/Mobile Security, Targeted Attacks/Adult Sites Were Targeted Via Fake Java Update – Malsmoke

Adult Sites Were Targeted Via Fake Java Update – Malsmoke

A fake Java update found on various porn sites actually downloads the well-known Zloader malware.

Target On Adult Websites:

The malsmoke operators ran successful exploit kit campaigns for several months but in October decided to switch them over to a new social engineering scheme.

Importantly, Attackers are tricking Adult website visitors including sites such as bravoporn[.]com and hamster[.]com – by malicious ads redirecting users to exploit kits.

‘Malsmoke’ Zloader, a variant of a banking trojan that made a comeback after an absence of almost two years, now used as an info stealer.

Malsmoke Malware:

Malsmoke goes for high traffic adult portals, hoping to yield the maximum number of infections. Therefore, A new campaign is tricking visitors to adult websites with a fake Java update.

Source : MalwareBytes

Additionally, the latest domain name pornislife[.]online was registered with the same email address [email protected][.]com tied to a number of other web properties previously related to malsmoke gates.

New Social Engineering Trick:

Including Google Chrome, this new scheme works across all the web browsers. On clicking to play an adult video clip, a new browser window pops up telling users that the “Java Plug-in 8.0 was not found”.

Source : MalwareBytesFake Java update dialog

However, The threat actors could have designed this fake plugin update in any shape or form. The choice of Java is a bit odd, though, considering it is not typically associated with video streaming.

For instance, those who click and download the so-called update may not be aware of that, and that’s really all that matters.

Defend From Evolving Web Threats:

As a result, Malsmoke was one of the most noticeable distributors of malvertising and exploit kits striking on high profile websites.

  • Beware while installing applications
  • Do not click/open Ads, pop up links
  • Add Malwarebytes Browser Guard extension to your browser
  • Migrate to a modern and fully supported browser

Indicators Of Compromise:

Redirector:

landingmonster[.]online

Decoy adult portal:

pornislife[.]online

MSI installer:

87bfbbc345b4f3a59cf90f46b47fc063adcd415614afe4af7afc950a0dfcacc2

First C2:

moviehunters[.]site

ZLoader:

4a30275f14f80c6e11d5a253d7d004eda98651010e0aa47f744cf4105d1676ab

ZLoader C2s:

iqowijsdakm[.]ru
wiewjdmkfjn[.]ru
dksaoidiakjd[.]su
iweuiqjdakjd[.]su
yuidskadjna[.]su
olksmadnbdj[.]su
odsakmdfnbs[.]com
odsakjmdnhsaj[.]com
odjdnhsaj[.]com
odoishsaj[.]com
By | 2020-11-17T21:56:56+05:30 November 17th, 2020|Mobile Security, Targeted Attacks|

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!