A malvertising campaign impersonates a legitimate Windows portal (WindowsReport.com) to push a CPU-Z installer, delivering a signed MSIX payload that runs a malicious PowerShell script via a loader called FakeBat to install the Redline stealer. The operation uses cloaking, lookalike sites, and redirects (including a 302 HTTP redirect) with a compromised advertiser identity to evade detection, and Malwarebytes ThreatDown has detected the final payload and related IOCs.
#RedlineStealer #WindowsReport
#RedlineStealer #WindowsReport
Keypoints
- The malvertising campaign copies content from WindowsReport.com to deceive users into downloading malware.
- The legitimate Windows Report portal was not compromised; attackers replicated its look and feel to trap victims.
- Other utilities (Notepad++, Citrix, VNC Viewer) are targeted, with shared infrastructure and cloaking templates used to dodge detection.
- The malicious ad is presented by an apparent advertiser, βScott Cooper,β who is likely compromised or fake.
- A 302 redirect from corporatecomf[.]online to workspace-app[.]online leads victims to a lookalike download page for CPU-Z.
- The payload is a signed MSIX installer containing a malicious PowerShell script and a loader named FakeBat, culminating in the Redline stealer and C2 communication.
MITRE Techniques
- [T1189] Drive-by Compromise β The malvertising workflow redirects victims to a lookalike site and delivers a signed MSIX installer. Quote: βredirect (302 HTTP code) to another domain at workspace-app[.]online.β
- [T1036] Masquerading β The attack uses a Windows Report lookalike, with content from the legitimate Windows portal and a URL that does not match the real site. Quote: βThe domain uses content from the legitimate Windows portal WindowsReport.com and looks almost identical.β
- [T1204.002] User Execution: Malicious Link β Victims clicking the ad land on a download page that may appear legitimate, with a mismatched address bar. Quote: βPeople who searched for CPU-Z and clicked the ad are now at the download page for the software, where they may wrongly assume that it is legitimate. The URL in the address bar does not match the real one.β
- [T1059.001] PowerShell β The installer contains a malicious PowerShell script and a loader named FakeBat. Quote: βThe payload is a digitally signed MSIX installer which contains a malicious PowerShell script, a loader known as FakeBat.β
- [T1071.001] Web Protocols β The malware demonstrates command and control activity via a C2 server referenced by the PowerShell payload. Quote: βthe script shows the malware command and control server as well as the remote payload (Redline stealer).β
Indicators of Compromise
- [Ad domains] argenferia[.]com, workspace-app[.]online β used in malvertising campaigns to redirect victims
- [Ad domains] corporatecomf[.]online, cilrix-corp[.]pro β additional domains observed in the infrastructure
- [Ad domains] realvnc[.]pro, winscp-apps[.]online β part of the same malvertising ecosystem
- [Ad domains] wireshark-app[.]online, cilrix-corporate[.]online β additional lookalike sites used for cloaking
- [Payload URLs] thecoopmodel[.]com/CPU-Z-x86.msix, argenferia[.]com/RealVNC-x64.msix β download pages used to deliver the payload
- [Payload URLs] kaotickontracting[.]info/account/hdr.jpg, ivcgroup[.]in/temp/Citrix-x64.msix β supplementary payload delivery URLs
- [Payloads] 55d3ed51c3d8f56ab305a40936b446f761021abfc55e5cc8234c98a2c93e99e1, 9acbf1a5cd040c6dcecbe4e8e65044b380b7432f46c5fbf2ecdc97549487ca88 β sample file hashes for the payloads
- [C2s] 11234jkhfkujhs[.]site, 11234jkhfkujhs[.]top β command and control endpoints
- [C2s] 94.131.111[.]240, 81.177.136[.]179 β additional C2 IP addresses