th3_protoCOL,

#malvertising themed around the gaming app "parsec"

Initial fake site: parsecus[.]net

Malware downloaded from: parsecworks[.]com

Digitally signed malware "parsec-windows.exe"

Both the distribution site and download url are hosted on 93.190.143.252

Google displaying malware ads above the true website for parsec
Screenshot of virus total, 3/63 vendors are detecting the file
Malware with a digital signature from SSL.com, signed 2 days prior on the 19th

th3_protoCOL,

@briankrebs Here's some recent evidence involving the IP address 93.190.143.252 you mentioned earlier

briankrebs,

@th3_protoCOL Thanks. How recent? I.e., where did those screenshots of the search results come from?

th3_protoCOL,

@briankrebs I did that search and took those screenshots myself just prior to posting on mastodon last night (edited the post with the VT file submission)

This threat actor has been using google ads around "parsec" and "freecad" to distribute heavily obfuscated digitally signed malware since at least January 16th.

Here's a screenshot from a search done on 1/16 that redirected to freecadusa[.]net and used dropbox to download the executable.

Since then they've changed from hosting the malware download from dropbox to their own domains

briankrebs,

@th3_protoCOL Outstanding! Thank you. Mind if I reference these in a story?

th3_protoCOL,

@briankrebs of course! Looking forward to reading about it :)

  • All
  • Subscribed
  • Moderated
  • Favorites
  • random
  • DreamBathrooms
  • everett
  • osvaldo12
  • magazineikmin
  • thenastyranch
  • rosin
  • normalnudes
  • Youngstown
  • Durango
  • slotface
  • ngwrru68w68
  • kavyap
  • mdbf
  • InstantRegret
  • JUstTest
  • ethstaker
  • GTA5RPClips
  • tacticalgear
  • Leos
  • anitta
  • modclub
  • khanakhh
  • cubers
  • cisconetworking
  • provamag3
  • megavids
  • tester
  • lostlight
  • All magazines
    •