FakeAV is still alive…

Like it’s 2010 i guess. This is just a simple FakeAV being delivered from ads on sites like telegraph.co.uk and dailymotion.com. No exploit, just relying on the user to click yes to download and then run it.

omg

All activity I have seen appears to be for a few IP addresses and domains utilize the .nl TLD.

212.83.155.45, 212.83.155.46, and 212.83.155.47(a range highly utilized by Neutrino lately)

As far as i can tell this campaign appears to have become active around Jan 23rd 2014 and is currently ongoing.

Chain:

1) Come from google to site that displays the advertisement
1) Advertisement loads, redirs you
2) http://wed322d2.windowsdefence-rv .nl/index.php?key=[32 char hex] < Main page 3) http://wed322d2.windowsdefence-rv .nl/message.png (classic antivirus popup) < Scary image 4) http://wed322d2.windowsdefence-rv .nl/index.php?key=[32 char hex]&key2=download < EXE Post-Compromise Traffic: http://93.115.86.197/?0=13&1=1&2=15&3=i&4=7600&5=0&6=1111&7=kyxnujmwnn

Cool splash screen

Comments are closed.