A cybercrime group named Malsmoke has been targeting porn sites with malicious ads redirecting users to exploit kits.
Over the past few months, a hacker group dubbed Malsmoke has been infecting popular porn sites with malicious ads and which are then used to deliver malware on victim’s devices.
According to Malwarebytes’ researchers, who have been tracking this campaign, the Malsmoke gang has managed to abuse “practically all adult ad networks”, but this is the first time when the threat actor has hit a top publisher – the group placed malicious ads on the xHamster, one of the most popular adult sites in the world.
This targets users running vulnerable versions of Internet Explorer and Adobe Flash. The malicious ads use JavaScript to redirect visitors of adult portals to malicious sites hosting exploit kit designed to exploit the CVE-2019-0752 (Internet Explorer) and CVE-2018-15982 (Flash Player) vulnerabilities in order to install malware (such as Smoke Loader, Raccoon Stealer, and ZLoader) on victims’ machines.
Most exploit kits are built around vulnerabilities in Flash and Internet Explorer, which has made them less efficient as most internet users have now either uninstalled Flash or moved to Chrome and Firefox.
Despite recommendations from Microsoft and security professionals, we can only witness that there are still a number of users (consumer and enterprise) worldwide that have yet to migrate to a modern and fully supported browser,” Malwarebytes said in a report published earlier this week.
Recommendations:
We recommend updating the above IOC’s with immediate effect in your organization’s security devices without fail. Researchers say the campaign is well planned and getting executed, we need to ensure we don’t fall prey. Every organization would have blocked the ADULT websites, but some of the C&C’s were getting executed over Drive by Downloads in some Advertisements as well.
So good to deploy the IOC’s and ensure the IOC’s are getting monitored over SIEM.
Ensure you are applying to EDR as well. Are you looking for EDR Expert? Contact us –
First Hackers News – https://firsthackersnews.com/contact/
Indicators of compromise
Gates used in malvertising campaign pushing Raccoon Stealer
intica-deco[.]com
websolvent[.]me
Raccoon Stealer
b289155154642ba8e9b032490a20c4a2c09b925e5b85dda11fc85d377baa6a6c
f319264b36cdf0daeb6174a43aaf4a6684775e6f0fb69aaf2d7dc051a593de93
Raccoon Stealer C2s
34.105.147[.]92/gate/log.php
chinadevmonster[.]top/gate/log.php
Smoke Loader
23bef893e3af7cb49dc5ae0a14452ed781f841db7397dc3ebb689291fd701b6b
Smoke Loader C2s
dkajsdjiqwdwnfj[.]info
2831ujedkdajsdj[.]info
928eijdksasnfss[.]info
dkajsdjiqwdwnfj[.]info
2831ujedkdajsdj[.]info
928eijdksasnfss[.]info
Gates used in the malsmoke campaign
einlegesohle[.]com/indexx.php
adexhangetomatto[.]space
encelava[.]com/coexo.php
encelava[.]com/caac
uneaskie[.]com/ukexo.php
bumblizz[.]com/auexo.php
bumblizz[.]com/auflexexo.php
bumblizz[.]com/caexo.php
bumblizz[.]com/caflexexo.php
bumblizz[.]com/usexo.php
bumblizz[.]com/usflexexo.php
canadaversaliska[.]info/coflexexo.php
canadaversaliska[.]info/coflexo.php
canadaversaliska[.]info/ukflexexo.php
canadaversaliska[.]info/ukflexo.php
canadaversaliska[.]info/usflexexo.php
canadaversaliska[.]info/usflexo.php
krostaur[.]com/jpexo.php
krostaur[.]com/jpflexexo.php
krostaur[.]com/jpflexo.php
leiomity[.]com/ukexo.php
leiomity[.]com/ukflexexo.php
leiomity[.]com/usexo.php
leiomity[.]com/usflexexo.php
surdised[.]com/coexo.php
surdised[.]com/usexo.php
Leave A Comment