For a couple of weeks, we have been observing a malvertising campaign that uses decoy websites to redirect users to the RIG exploit kit. Those sites, whose theme is about cryptocurrencies, were all registered recently and are swapped after a few days of use.
The results are then sent back to the server with the following code snippet:
The final step consists of a response with a blurb containing an iframe to RIG EK:
So far, we have not collected many hits via this campaign. Because it was new to us, we decided to call it Coins LTD, based on the numerous references to cryptocurrencies in the decoy page.
[Update] This campaign is also tracked as ‘etags’.
Thanks to @anti_expl0it for the additional data.
It is identical from infection to infection, and so far we have collected only two kinds of payloads: TrickBot and Ramnit.
Other researchers, such as Baber Pervez, have caught this redirection chain as well, which recently slightly changed its URI pattern. However, the same primary domain and secondary one (JS fingerprint) have been rotating and are hosted on two distinct IP addresses, as per the diagram below:
This is one of a handful of malvertising campaigns that we have been tracking. It’s worth noting how it also has similar filtering steps to avoid bots, and that it relies on a decoy gate, which seems to be a common practice these days.
We will keep tabs on this campaign—in particular on what payloads it drops in the future. Malwarebytes users are protected from this drive-by attack.
Indicators of compromise
5.135.234[.]116 212.237.12[.]253 137.74.159[.]216
cryptoearnings[.]xyz mybinaryearns[.]top protectforex[.]top mymoneyfixing[.]top investingtodayfix[.]top profitablesoft[.]top myearnmoneybin[.]top coinsdouble[.]top wowmoney[.]top doublecoin[.]top myrobotearn[.]top earnthismoney[.]top doitmoneyforyou[.]top binaryearnforex[.]top bitcoinrobotplus[.]top binaryrobotplus[.]top ocoins[.]xyz upfixmoney[.]top