@mithrandir @rmceoin really enjoy reading your posts. Nice writing style to keep it informative and fun to go through.
Jérôme Segura
Threat intel and web threats
Jérôme Segura boosted:
Completed Part 3 of my personal #SocGholish series.
The article digs into the follow-up payloads delivered once the Update.js is executed on a victim machine.
Interestingly, I saw #NetSupport RAT and an unknown (to me) PowerShell C2 beacon be delivered together.
If anyone can shed more light on what the PowerShell beacon may be, it would be much appreciated! Seems to be inspired by #AsyncRAT, though.
Big thanks to @rmceoin for help along the way.
https://rerednawyerg.github.io/posts/malwareanalysis/socgholish_part3
Jérôme Segura boosted:
Malvertisers targeting "AI image generation" keywords 🤖🎨
1️⃣ Search for "AI image generator"
2️⃣ Ad for fake Meta messenger page
aisystemit[.]online
3️⃣ Download click & redirect involving iplogger[.]com
➡️ .exe download from DropBox
Can anyone identify the family of malware being dropped here?
🔗 https://www.virustotal.com/gui/file/28eb7478cdf53820a76b8aac0d5f1755f5d4ee105b1a457f76f21312ae8d2389/content (file)
🔗 https://www.virustotal.com/gui/url/9faac0ecbfcaa0ed9747043ec00147a7b22520a849b1932ee16c397fdfa117c2/details (URL)
@rmceoin it looks like there is a wave of fraudulent ads recently and .shop domains.
Jérôme Segura boosted:
So, this is interesting. On Tuesday I saw Facebook send a user to a fake Sam's Club site. Today the same user had Facebook send them to a fake Wayfair site.
If you shop and pick out something it runs you through a realistic billing page that leads to a Stripe page that'll send the money to some "DATUSSON SUPPLY LLC" who has a really handy phone number of 201-555-0123.
chairs-room[.]shop
howed[.]shop
Malvertisers rickrolling security researchers...
softwareinteractivo[.]com
winsccp[.]com
protemaq[.]com/wp-content/update/iso/6[.]1/tusto/WinSCP-6[.]1-Setup[.]iso
https://www.virustotal.com/gui/file/2eb2ef7a562145a0faf3c82f439221908adfcc784022a64e5bb17a432f4a8a91
RIG Exploit Kit
188.227.58[.]100
Payload: Raccoon Stealer
C2: 5.252.177[.]36
Some next level cloaking from this malvertising group.
Payload is RedLine Stealer:
cdn[.]discordapp[.]com/attachments/1067816024541507666/1116463363891933204/AnyDesk.zip
#Malvertising targeting Cisco AnyConnect dropping Python Meterpreter payload.
mypondsoftware[.]com/cisco/anyconnect/file.php
trafcon[.]co/wp-content/plug/des/sus/cisco/anyconnect/cisco-anyconnect-4.iso
C2: 141.98.6[.]95
Jérôme Segura boosted:
The #SocGholish TDS first stage has a different set of checks since the last time I reversed it.
It no longer checks if the window is closed or if userAgent contains Windows. But there are two new interesting checks.
It now checks for automation, like Selenium, and browser debug mode. In both cases it lets the TDS know that it matched those conditions, so they know somebody is poking at them.
Also, when I first analyzed this stage on May 21st it was only minified. This time it was obfuscated.
@rmceoin push notifications scam
Jérôme Segura boosted:
So the #KeitaroTDS offers up at least two paths. One is #SocGholish that I've been tracking and the other is some notification malware that I've seen before but didn't realize they're connected.
When I go to an infected site, I only get served SocGholish. But I see when urlscan goes to it, they get this other scam. What's handy is I can go directly to the KeitaroTDS URLs associated with those scams and see that other path.
backendjs[.]org/kb3xCR3d
cancelledfirestarter[.]org/Qw6YdVL
dailytickyclock[.]org/H9nZW3yw
deeptrickday[.]org/xTHcrXYN
devqeury[.]org/XdQJSbwV
devqeury[.]org/VjCTRDTQ
jqscr[.]com/GPfymwFy
jqscr[.]com/MFkkBGCh
jqueryns[.]com/jbMbKDPn
jsqur[.]com/97rmMy8V
Anybody have a name for this notification scam?
@rmceoin yes totally. There’s a threat actor I saw back in 2019 that looked kind of similar if you want to check it out. It’s all about traffic monetization and different payloads.
Jérôme Segura boosted:
While poking at the #KeitaroTDS used by #SocGholish I noticed a different path. Using torsocks in the hopes of getting different responses, this known #KeitaroTDS URL
dailytickyclock[.]org/Rz7kFbxJ
would return a redirect I haven't noticed.
dailytickyclock[.]org/H9nZW3yw
That in turn was redirecting to here.
greatbonushere[.]life/?u=4dkpaew&o=81yk607&cid=vi0n933mcrfi
That led to a couple of scams. Mostly I got a fake iPhone prize scam that tries to dup you into providing your address and CC info.
Pivoting off the IP for the domain out popped 78 more domains. Block them nasties! 🚫
https://gist.github.com/rmceoin/9e3fb77686a660374409df467d9711ca
Jérôme Segura boosted:
New #SocGholish shadowed domain.
enterprise.alliantlaw[.]us
Currently not getting it to step to the C2.
@Rairii nice, I refreshed the page and see it too now.
Recently I spent about a week focusing on popular Google search terms and discovered that brand impersonation via malicious ads is still very much a problem.
I've documented my findings and some suggestions in this blog post: https://www.malwarebytes.com/blog/threat-intelligence/2023/05/malvertising-its-a-jungle-out-there
Jérôme Segura boosted:
Wrote up an analysis of #SocGholish.
https://rmceoin.github.io/malware-analysis/socgholish/
I've only seen the client side of all this. Has anybody seen the infected server side that they can share details?
Jérôme Segura boosted:
How about hosting your phishing page on Google Translate? This little guy offered up a stealer.
URL in phish:
bit[.]ly/43f9T0O
Bitly redirection URL:
loter--document--transfer-com.translate[.]goog/8fbdfde141b640e89650f86802d81703?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=auto&_x_tr_pto=wapp
Final payload:
archive[.]org/download/chase-bank-statement-0143121402341_202305/Chase_Bank_Statement0143121402341.exe
https://tria.ge/230522-ywcvascd29/behavioral1
Original URL that TA fed to Google Translate:
loter-document-transfer[.]com/8fbdfde141b640e89650f86802d81703
Client Info
Server: https://mastodon.social
Version: 2025.04
Repository: https://github.com/cyevgeniy/lmst