Category: Informational

Roboto Condensed Delivers Downloader Which Downloads a CoinMiner.

My first post on the Roboto Condensed social engineering scheme can be seen HERE. BleepingComputer.com also wrote an article on this. The pages presented to both Chrome and Firefox users can be seen below: Here is an image of the page source: The binary file, fontpackupd60.exe, is being hosted on a compromised website in the /plugins/ ...

Roboto Condensed Social Engineering Scheme Delivers DELoader (aka Terdot or ZLoader).

My first post on the Roboto Condensed social engineering scheme can be seen HERE. BleepingComputer.com also wrote an article on this, which can be seen HERE. The page presented to both Chrome and Firefox users: Looking at the page source shows a different .ZIP file for Chrome and Firefox users: Chrome users download “Chrome_Font.zip”, which is ...

“Roboto Condensed” Social Engineering Attack Targets Both Chrome and Firefox Users.

A couple days ago I found a dozen or so domains using a social engineering attack like that of the RELST and HoeflerText campaigns. This attack, which I call “Roboto Condensed” for reasons that will become obvious, targets both Chrome and Firefox users. Users are likely to be redirected to these social engineering domains via malvertising, hacked ...

Tech Support Scams Using Numeric Domains

According to Microsoft, tech support scams (TSS) are a growing problem with 2 out of 3 consumers reporting that they’ve encountered them in recent years. As somebody who often captures malvertising chains I can tell you that I too have seen a big uptick in redirects leading to tech support scam pages. A lot of the times ...

Finding a Good Man: Part 2

Read Finding a Good Man (Part 1): https://malwarebreakdown.com/2017/03/10/finding-a-good-man/ Read the last update on Good Man: https://malwarebreakdown.com/2017/04/26/update-on-goodman/ It has been over 5 months since I found and started tracking the actor(s) behind what I dubbed the “Good Man” campaign. I called it the Good Man campaign because the registrant email used for many of the malicious domains was goodmandilaltain@gmail.com. ...

“Despicable” Malvertising Campaign

Myself and a couple other coworkers stumbled across a malvertising campaign that I’ve playfully dubbed “Despicable” for its heavy use of the .ME TLD. So far, I haven’t found any public documentation about this campaign. Having said that, I wouldn’t be surprised if it was currently on other people’s radars. Background into the campaign Research ...

RELST Campaign Delivering Pony, Downloads Chthonic.

On 06/03/17 I discovered numerous domains using two different social engineering tricks to deliver Pony malware. Read more about that HERE. I nicknamed this campaign “RELST” since there various references to “RELST” in the code: In my previous post I showed how the RoughTed malvertising operation led to the RELST campaign that had redirected my host to RIG exploit ...