A malvertising-driven campaign now pushes a fake Firefox update, a lookalike of FakeUpdates (SocGholish), delivering an encrypted payload via a simple loader that drops adware. The infrastructure reuse and long-running MakeMoney gates highlight persistent attribution and the actors’ continued use of Russia-based servers and ad networks to push exploit kits. hashtags #FakeUpdates #SocGholish
Keypoints
- A new malvertising campaign uses a FakeUpdates/SocGholish lookalike template featuring a fake Firefox update and scripts that fetch an encrypted payload.
- Unlike prior FakeUpdates campaigns that relied on compromised sites, this scheme is driven via malvertising with pointed redirection infrastructure.
- The initial executable is a loader that retrieves adware detected as BrowserAssistant, building on a pattern seen in a prior RIG EK-related campaign.
- The malvertising infrastructure reuses the same servers and gates, many hosted in Russia, with names tied to various ad networks (e.g., PropellerAds, PopCash).
- Indicators of Compromise include multiple IPs (e.g., 185.220.35.26, 188.225.75.54) and a long list of malvertising domains and landing gates (e.g., makemoneywithus.work, gettime.xyz).
- The actors appear to have persisted for years, dating back to December 2019, with continued use of RIG EK and related exploit kits while typos in social engineering suggest room for improvement in the campaign’s presentation.
MITRE Techniques
- [T1189] Drive-by Compromise – Malvertising drives users to a fake Firefox update; quote: “The malvertising infrastructure is essentially the same one that was used in numerous drive-by campaigns with exploit kits since late 2019.”
- [T1059.007] JavaScript – The update template “contains a couple of scripts that pull down an encrypted payload.”
- [T1105] Ingress Tool Transfer – The initial executable “consists of a loader which retrieves a piece of Adware detected as BrowserAssistant.”
- [T1203] Exploitation for Client Execution – The actors previously redirected to the Fallout EK in Oct 2020, though it mostly used RIG EK for years. quote: “…redirect to the Fallout exploit kit in October 2020, although it mostly used RIG EK for several years.”
- [T1583] Acquire Infrastructure – Infrastructure reuse across campaigns; quote: “Looking at this infrastructure shows that the group reused a few servers quite predictably during these years between AS59504 vpsville and AS9123 TimeWeb.”
Indicators of Compromise
- [IP addresses] malvertising domains, gates – 185.220.35.26, 188.225.75.54
- [IP addresses] fake template – 188.227.107.121, 188.227.107.92
- [Domains] malvertising domains, gates – makemoneywithus.work, adsterramag.me