A malvertising campaign used a copycat website for anti-malware software provider Malwarebytes to distribute the Raccoon infostealer.
Malwarebytes learned of the campaign when someone notified the security firm that someone was abusing its brand using the lookalike domain “malwarebytes-free[.]com.” Registered on March 29 via REGISTRAR OF DOMAIN NAMES REG.RU LLC, this domain was hosted in Russia at 173.192.139[.]27 at the time of discovery.
Researchers at Malwarebytes subsequently examined the source code of the fake website. Through these efforts, they confirmed that someone had stolen the source code of the firm’s website. Those actors had then injected a JavaScript snipped into this code that specifically redirected visitors using Internet Explorer to a malicious URL hosting the Fallout exploit kit.