This malicious campaign bears a striking resemblance to a series of FakeSecurity JS-sniffer attacks described by Group-IB in November 2019. Past attacks targeted owners of online stores powered by Magento CMS. In the campaign described
previously, the attackers also used such tools as the Vidar stealer and the Mephistophilus phishing kit, with an identical template for Adobe updates. In addition, the attackers used the same hosting service to register domains in both campaigns.
In the 2020 campaign, the same attack vector was used and involved subsequent distribution of the Raccoon stealer. In addition, the investigation revealed messages sent to several online stores from email@example.com and firstname.lastname@example.org.
A detailed analysis of the first-wave malware distribution via Mephistophilus phishing pages revealed a link between the domains involved in this campaign (in particular documents-cloud-server*[.]co.za) and the FakeSecurity campaign. During the 2020 campaign, phishing pages were available at the following URLs: