Malvertising Campaign Target Firefox Users via Fake Updates

Fillip Mouliatis, a Malwarebytes researcher has uncovered a malvertising campaign that is nearly identical to the one distributed by the FakeUpdates (SocGholish) attackers.

However, the execution and distribution patterns are different. Unlike FakeUpdates which is driven by exploited websites to display malicious, fake browser update windows, this campaign employs malvertising.

The malvertising campaign target users via a fake Firefox update that includes a couple of scripts and an encrypted payload. The initial executable consists of a loader that retrieves a piece of Adware identified as BrowserAssistant. This malicious payload was spotted before in an identical malvertising campaign involving the RIG exploit kit in late 2019.

Interestingly, the attackers reused the same servers in Russia and dubbed their malvertising gates after different ad networks.

In October 2020, security analyst ‘@na0_sec’ witnessed the “MakeMoney gate”, named after the domain makemoneywithus[.]work (, redirect to the Fallout exploit kit, although it usually employed RIG EK for multiple years.

According to Malwarebytes, it is interesting that malicious actors remained faithful to RIG EK for so long during a period when exploit kits were going out of fashion. The attackers also seemed to poke fun at the same ad networks they were exploiting, unless the choice for names linked with their campaigns was motivated by sorting out their upstream traffic.

However, this particular social engineering campaign could use some improvements to remove some blatant typos while their server-side infrastructure could be tidied up, Filip Mouliatis stated.

Last year in December 2021, a Malvertising campaign targeted Chrome users via malicious extensions. These extensions, were manufactured to impersonate popular applications, and create backdoors in the software that malicious actors could exploit to exfiltrate personal identifiable information (PII) data.

Magnat, the authors of this malicious campaign specifically targeted users searching for popular software via search engines. Once the victim clicked on a malicious link to a fake installer, their endpoint was compromised with a password stealer called "RedLineStealer," as well as a Chrome extension known as "MagnatExtension” designed to log keystrokes and capture screenshots.

To mitigate the risks, avoid clicking on ads promising things that seems suspicious. Only click on those ads that look like they were created by a professional graphic designer. Experts also suggest not to click on ads that have spelling errors.

7 views0 comments