6/28/2023 0 Comments Malwarebytes google drive exe![]() This time, the call to the Google Drive URL is heavily obfuscated: We discovered an update to the initial code injection pictured in Figure 2. ![]() Read more about it from Kafeine in this stellar blog post he wrote). ![]() (We call this exploit kit Popads but it should really be called Magnitude now. From there, the code snippet loads the “.tk” TDS which in turn redirects the user to an exploit page. The compromised site (calls the external JavaScript on Google’s servers. Some of you may recognize this URL as the “Simple TDS”, an old, but yet still active traffic distribution system that is redirecting traffic to an exploit kit landing page:įigure 4: Infection process as shown in Fiddler capture tk is the TLD for Tokelau which over than its sandy beach image is often associated with malware and phishing attacks.) Now we know the motive: to redirect users to a ‘.tk’ URL (. Figure 3: Analyzing Google Drive uploaded script with Revelo
0 Comments
Leave a Reply. |