![ConfiantIntel's tweet photo. The extension monitors this list of domains in order to steal user credentials, sessions or hijack the transmitted data between the victims and the monitored domains.
The extension exchanges the stolen data encrypted, with a C2 server -> mudg4rzhrmbjdcg0.ads798ad[.]top https://t.co/mc19ybKjQW](https://pbs.twimg.com/media/FngGufpXEAoJWnq.jpg)
![Artilllerie's tweet photo. This new domain:
/MALWAREBYTES-PREMIUM[.]COM
Creation Date: 2023-01-18T09:37:43Z
🧩Distributes a file:
>zip with a ~800Mo exe
>Fake cert
☣️Probably a stealer (#Vidar or #Mars)
/65.109.208[.]140/pack[.]zip
/116.203.30[.]135/qthw6l/rpilag[.]exe
@malwrhunterteam
@hasherezade https://t.co/tYNYPFx1yy](https://pbs.twimg.com/media/FnJ58XkXgAIk1cH.png)
![Artilllerie's tweet photo. This new domain:
/MALWAREBYTES-PREMIUM[.]COM
Creation Date: 2023-01-18T09:37:43Z
🧩Distributes a file:
>zip with a ~800Mo exe
>Fake cert
☣️Probably a stealer (#Vidar or #Mars)
/65.109.208[.]140/pack[.]zip
/116.203.30[.]135/qthw6l/rpilag[.]exe
@malwrhunterteam
@hasherezade https://t.co/tYNYPFx1yy](https://pbs.twimg.com/media/FnJ58XRXgAAMmIR.jpg)
![ConfiantIntel's tweet photo. Warning 🚨: Google Search Ads delivering malware 👾
Brave search ads results pointing to malicious domain: braven-go[.]site
Windows binaries downloaded delivers malware #Vidar #Stealer
Botnet: 651
DD: https://t.co/tY5KuIbBHD | https://t.co/qumhYIK8E2
C2: 78.47.228.65 https://t.co/uTdlKHVLDK](https://pbs.twimg.com/media/FnT8kkBWIAEf6xG.jpg)
![ConfiantIntel's tweet photo. Warning 🚨: Google Search Ads delivering malware 👾
7zip search ads results pointing to malicious domain: 7zip-app[.]org see attached screenshot.
Windows binaries downloaded delivers malware #Vidar #Stealer
Botnet: 841
C2: https://t.co/9giZ9RVxlc | 65.109.208.140:80 https://t.co/JUah5AcgCK](https://pbs.twimg.com/media/FnPMYW7WQAAWhoc.jpg)
Olivia
Online
ConfiantIntel
@ConfiantIntel
@WeAreConfiant Threat Intelligence feeds account, fighting malvertisers since 2013 ⚔️
Joined December 2020
19 Following
1.2K Followers
186 Posts
Our Security Researcher Michael Steele @crimewaretech delved deeply into ScamClub landing pages and the platforms with which ScamClub is affiliated!
https://t.co/9gKT2yv8hP
Proud to have our Kaileigh M. as a BlackHat speaker this year !
UP NEXT! @DarkReading is streaming LIVE from @MandalayBay #blackhatusa2023
Josh Grossman @BounceSecurity
Kaileigh M. @ConfiantIntel
John Shier @Sophos
Abby Strong @cribl_io Chris Cesio @exabeam
Dr. Renée Burton @Infoblox
Kelly Shortridge @fastly
https://t.co/81iSH6Khh0
🚨 Security Alert 🚨: DCCBoost Forced redirects
Impacted SSPs: MediaGrid, AdYouLike, Minute Media, Smile, Wanted, YieldMo, IQZone
Impacted DSPs: LoopMe, SmartyAds, Taipei Digital, BuckSense
Targeted countries: US (87%), UK (9%), Canada (4%)
More at: https://t.co/X6cKNP9STH
Who to follow
Security Joes
@SecurityJoes
AI-Powered MDR & Incident Response ☂️
Soufiane
@S0ufi4n3
A random infosec/science enthusiast guy...
This account is personal and only reflects my opinions, not those of my employer...and if it hurts your feelings🖕
Tommy M (TheAnalyst)
@ffforward
Threat Researcher @proofpoint | @Cryptolaemus1
Malvertisers love to abuse low-impact browser bugs. They're often slow to get patched and make a significant impact on the efficacy of their malicious campaigns.
https://t.co/JQmhrjHQIW
In late September '22 we found a fun little browser bug impacting WebKit that was being abused by a malvertiser. Write up coming soon™️ on the @ConfiantIntel blog.
This campaign was identified targeting Brazil.
The .msi installer drops the following files inside %APPDATA% in a directory named “xxasd” that have the following structure. The extension is side loaded in it’s unpacked form below, into chrome via the --load-extension= switch.
Warning 🚨: Google Search Ads delivering Malicious Chrome Extension 👾
Teamviewer search ads results pointing to a malicious domain: website-montppio24[.]buzz enabling drive-by downloads delivering an .MSI installer which in turn installs the extension 🧵
![ConfiantIntel's tweet photo. Warning 🚨: Google Search Ads delivering Malicious Chrome Extension 👾
Teamviewer search ads results pointing to a malicious domain: website-montppio24[.]buzz enabling drive-by downloads delivering an .MSI installer which in turn installs the extension 🧵 https://t.co/XCkYLlA42p](https://pbs.twimg.com/media/FngGtp4XEAYOu4j.jpg)
The extension monitors this list of domains in order to steal user credentials, sessions or hijack the transmitted data between the victims and the monitored domains.
The extension exchanges the stolen data encrypted, with a C2 server -> mudg4rzhrmbjdcg0.ads798ad[.]top
![ConfiantIntel's tweet photo. The extension monitors this list of domains in order to steal user credentials, sessions or hijack the transmitted data between the victims and the monitored domains.
The extension exchanges the stolen data encrypted, with a C2 server -> mudg4rzhrmbjdcg0.ads798ad[.]top https://t.co/mc19ybKjQW](https://pbs.twimg.com/media/FngGufrXEAMaFJM.jpg)
Here’s a great write-up by Billy Hurley in IT Brew on Daniel Fonseca Yarochewsky, Confiant security software engineer’s article uncovering how CashRewindo threat actors use aged domains to serve malicious ads.
https://t.co/Vx46xFTYAL
This domain could be originating from multiple sources: Google search ads (highly likely since the malware delivery 100% overlaps with multiple malicious domains delivered via Google search ads), but could be also phishing or email etc.
[CONFIRMED] Warning 🚨: Brand Hijacking -> delivering malware 👾
Malwarebytes brand themed domain: malwarebytes-premium[.]com is enabling drive-by downloads delivering malware #Vidar #Stealer:
Botnet: 645
DD: https://t.co/9giZ9RVxlc
C2: 65.109.208.140:80
Originally found by
![ConfiantIntel's tweet photo. [CONFIRMED] Warning 🚨: Brand Hijacking -> delivering malware 👾
Malwarebytes brand themed domain: malwarebytes-premium[.]com is enabling drive-by downloads delivering malware #Vidar #Stealer:
Botnet: 645
DD: https://t.co/9giZ9RVxlc
C2: 65.109.208.140:80
Originally found by https://t.co/BxckeDnTRI](https://pbs.twimg.com/media/FnZkE_MXkAEYwcS.jpg)
This new domain:
/MALWAREBYTES-PREMIUM[.]COM
Creation Date: 2023-01-18T09:37:43Z
🧩Distributes a file:
>zip with a ~800Mo exe
>Fake cert
☣️Probably a stealer (#Vidar or #Mars)
/65.109.208[.]140/pack[.]zip
/116.203.30[.]135/qthw6l/rpilag[.]exe
@malwrhunterteam
@hasherezade
![Artilllerie's tweet photo. This new domain:
/MALWAREBYTES-PREMIUM[.]COM
Creation Date: 2023-01-18T09:37:43Z
🧩Distributes a file:
>zip with a ~800Mo exe
>Fake cert
☣️Probably a stealer (#Vidar or #Mars)
/65.109.208[.]140/pack[.]zip
/116.203.30[.]135/qthw6l/rpilag[.]exe
@malwrhunterteam
@hasherezade https://t.co/tYNYPFx1yy](https://pbs.twimg.com/media/FnJ58XnWAAIM3aW.png)
Adding IOC’s missing from the original tweet:
SHA-256: 0a7c453531634b33a0dbe4d7c6aec8b60c70024616a096c360a016912b9ae481
SHA-256: 39c54b5663f827d97686822873db1be415f491b4342365a886a11bb306dcb4a4
Downloaded via: https://www.dropbox[.]com/s/kjepjlrs874nxwu/Brave.br.zip?dl=1
Tweeted again (as the previous Tweet was suspended/censored)
SHA-256: 524c945de64dc40d514cf4801c1ed9e41d892648023d26c4a9ac60f40d2852de
Last Seen Users on Sotwe
Delinin biri
Seen from Turkey
Luis Alberte
Seen from Guatemala
sevgi kara
Seen from Turkey
Beautiful Naked Women
Seen from Turkey
Hijab NSFW
Seen from Indonesia
binor
Seen from Indonesia
kamila nicole.
Seen from United States
Piss Spy Cam 
Seen from Vietnam
Zona Prohibida
Seen from United States
Murtaza
Seen from Turkey
Most Popular Users
Elon Musk
@elonmusk
240.6M followers
Barack Obama
@barackobama
119.2M followers
Donald J. Trump
@realdonaldtrump
111.7M followers
Cristiano Ronaldo
@cristiano
110.4M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.6M followers
NASA
@nasa
92.2M followers
Justin Bieber
@justinbieber
90.9M followers
KATY PERRY
@katyperry
87.6M followers
Taylor Swift
@taylorswift13
81.4M followers
Lady Gaga
@ladygaga
72.9M followers
Virat Kohli
@imvkohli
69.8M followers
Kim Kardashian
@kimkardashian
69.8M followers
YouTube
@youtube
68.7M followers
Bill Gates
@billgates
63.8M followers
Neymar Jr
@neymarjr
62.5M followers
The Ellen Show
@theellenshow
62.4M followers
CNN
@cnn
61.9M followers
X
@x
60.8M followers
Selena Gomez
@selenagomez
60.7M followers