Category: Featured
“Roboto Condensed” Social Engineering Attack Targets Both Chrome and Firefox Users.
A couple days ago I found a dozen or so domains using a social engineering attack like that of the RELST and HoeflerText campaigns. This attack, which I call “Roboto Condensed” for reasons that will become obvious, targets both Chrome and Firefox users. Users are likely to be redirected to these social engineering domains via malvertising, hacked ...
Finding a Good Man: Part 2
Read Finding a Good Man (Part 1): https://malwarebreakdown.com/2017/03/10/finding-a-good-man/ Read the last update on Good Man: https://malwarebreakdown.com/2017/04/26/update-on-goodman/ It has been over 5 months since I found and started tracking the actor(s) behind what I dubbed the “Good Man” campaign. I called it the Good Man campaign because the registrant email used for many of the malicious domains was goodmandilaltain@gmail.com. ...
“Despicable” Malvertising Campaign
Myself and a couple other coworkers stumbled across a malvertising campaign that I’ve playfully dubbed “Despicable” for its heavy use of the .ME TLD. So far, I haven’t found any public documentation about this campaign. Having said that, I wouldn’t be surprised if it was currently on other people’s radars. Background into the campaign Research ...
RoughTed Malvertising Operation Leads to “RELST” Domains and RIG EK.
On 06/03/17 I stumbled across a malvertising chain that led to RIG exploit kit. What was unusual about this malvertising chain is that it was also leading to a lot of social engineering scams. After some research I have discovered that it could be related to the “RoughTed” malvertising campaign. You can read more about ...
Thousands of Compromised Websites Leading to Fake Flash Player Update Sites. Payload is Qadars Banking Trojan.
Traffic: Infection Chain (Run on 02/10/17): There appears to be thousands of websites that were compromised and had been redirecting users to fake Flash Player update sites. For the most part they seem to be delivering Qadars banking malware. I was originally tipped off to a potentially compromised site a couple weeks ago by somebody ...
Malware breakdown 