Experimental automated monitoring of #SocGholish, #FakeSG, #ClearFake, #ClickFix, #KongTuke, #ParrotTDS and #SmartApeSG.
Samples and IOCs sent to MalwareBazaar and ThreatFox.
Detected #SmartApeSG infection chain
Compromised site
-->
universaltechnology[.]top/lsg/track.js (injected)
-->
universaltechnology[.]top/lsg/index.js (clickfix)
-->
northwindimmigration[.]com/head.php
-->
northwindimmigration[.]com/mwiszsws.zip
-->
94[.]158.245.63:443 (NetSupport, EVALUSION, NSM165348)
d71c2041f1712a8e4548bb5835671766d5d50d6f69d81f6745fb858d72f7cb55 mwiszsws.zip
Detected #KongTuke infection chain
Compromised site
-->
hillcoweb[.]com/5h7o.js
-->
hillcoweb[.]com/js.php (ClickFix)
-->
event-sdata-microsoft[.]live/log/in
Detected #SmartApeSG infection chain
Compromised site
-->
forging[.]top/xlg/track.js (injected)
-->
forging[.]top/xlg/index.js (clickfix)
-->
quickfreightuae[.]com/head.php
-->
quickfreightuae[.]com/fswsrwsa.zip
-->
94[.]158.245.63:443 (NetSupport, EVALUSION, NSM165348)
75321231a0d56074bbf6f799122c87d0e0e2d5f01f0356f30ee48e0ebc520ab1 fswsrwsa.zip
Detected #KongTuke infection chain
Compromised site
-->
leftykreh[.]com/4f2s.js
-->
leftykreh[.]com/js.php (ClickFix)
-->
dnsmicrosoftds-data[.]com/log/in
Detected #SmartApeSG infection chain
Compromised site
-->
islonline[.]org/d.js (injected)
-->
bnpparibas[.]top/lg/index.js (clickfix)
-->
vikingtenerife[.]com/head.php
-->
vikingtenerife[.]com/rwsaxsws.zip
-->
94[.]158.245.63:443 (NetSupport, EVALUSION, NSM165348)
9030cb873b342cd2c5b05d71fa6a032c255395664eb6e4d0d75b107290d2f4c3 rwsaxsws.zip
New #SocGholish C2:
hXXps://secure.nashbashmotorsports[.]com/ajaxAction
secure.nashbashmotorsports[.]com
89[.]117.67.63
AS46475 Limestone Networks, Inc.
New #SocGholish C2:
hXXps://dev.couplesparks[.]com/ajaxAction
dev.couplesparks[.]com
172[.]96.137.157
AS395092 Shock Hosting LLC
Detected #SmartApeSG infection chain
Compromised site
-->
1sou[.]top/lgs/track_is.js (injected)
-->
1sou[.]top/lgs/index.js (clickfix)
-->
apex-consultant[.]com/head.php
-->
apex-consultant[.]com/fswsmwis.zip
-->
23[.]227.198.208:443 (NetSupport, EVALUSION, NSM165348)
a7420b089c4132c78b58feb6d8a53f0c0544ff06ce3c0ddc292640c05cb216c1 fswsmwis.zip
Detected #SmartApeSG infection chain
Compromised site
-->
islonline[.]org/d.js (injected)
-->
downloadfreak[.]top/lg/index.js (clickfix)
-->
jazzcafeposk[.]org//headis.php
-->
jazzcafeposk[.]org/wp-content/zswsstws.zip
-->
23[.]227.198.208:443 (NetSupport, EVALUSION, NSM165348)
fdabe293ba44bdb4335f4d20d3e78eb43ca845065e280f19f77862da60ee5cad zswsstws.zip
Detected #KongTuke infection chain
Compromised site
-->
ncmtraders[.]com/3s7j.js
-->
ncmtraders[.]com/js.php (ClickFix)
-->
hXXp://a82523[.]top/12 (XML)
-->
a82523[.]top/zfyg.h
Detected #SmartApeSG infection chain
Compromised site
-->
loispaigesimenson[.]com/lsl/track_is.js (injected)
-->
loispaigesimenson[.]com/lsl/index.js (clickfix)
-->
anunciaconalianzalima[.]com/headis.php
-->
anunciaconalianzalima[.]com/psswlwse.zip
-->
23[.]227.198.208:443 (NetSupport, EVALUSION, NSM165348)
0b531620d1c6edbe8d61a478ec7d180dd717e56e0c73ca11b3890c7eeaa351d3 psswlwse.zip
New #SocGholish C2:
hXXps://files.myamericanmadestory[.]com/ajaxAction
files.myamericanmadestory[.]com
166[.]88.164.224
AS26383 Baxet Group Inc.
Detected #ParrotTDS infection chain
Compromised site
-->
trust.scriptobject[.]com/init.js (ParrotTDS)
-->
store.alignfrisco[.]com (SocGholish)
-->
www[.]publynx[.]com/profileLayout (SocGholish JS C2)
Detected #SmartApeSG infection chain
Compromised site
-->
islighting[.]top/nnm/track.js (injected)
-->
islighting[.]top/nnm/index.js (clickfix)
-->
markrampton[.]com//head.php
-->
markrampton[.]com/fssste.zip
-->
195[.]200.16.29:443 (NetSupport, EVALUSION, NSM165348)
a6139db6bba632c0b9517a84158fbee591b1870cb05e6e8eef64ef568b76e604 fssste.zip
New #SocGholish C2:
hXXps://www[.]publynx[.]com/profileLayout
www[.]publynx[.]com
194[.]213.18.231
AS62240 Clouvider
Detected #SmartApeSG infection chain
Compromised site
-->
islonline[.]org/d.js (injected)
-->
789pettoys[.]shop/lsl/index.js (clickfix)
-->
www[.]cuoreincomune[.]com/head.php
-->
www[.]cuoreincomune[.]com/xssrsa.zip
-->
94[.]158.245.13:443 (NetSupport, EVALUSION, NSM165348)
44aaa95fe0ad23f1fec1216ba9debaadc7df109e9f1dbedf4d453f1964981b78 xssrsa.zip
New #SocGholish C2:
hXXps://cpanel.imirp.co[.]uk/profileLayout
cpanel.imirp.co[.]uk
166[.]88.182.196
AS26383 Baxet Group Inc.
New #SocGholish C2:
hXXps://cpanel.doggiefountain[.]com/profileLayout
cpanel.doggiefountain[.]com
23[.]146.184.113
AS399820 Atomic Networks LLC
@CocoHunter typically I would find it using browser history. Nirsoft has a great tool called BrowsingHistoryView.
Detected #SmartApeSG infection chain
Compromised site
-->
baihuah[.]top/ls/tracker.js (injected)
-->
baihuah[.]top/ls/index.js (clickfix)
-->
www[.]intellegrationllc[.]com/header.php
-->
www[.]intellegrationllc[.]com/zsps.zip
-->
94[.]158.245.140:443 (NetSupport, EVALUSION, NSM165348)
2527eb2774e2fa6a75c193271824063245a6e923a0eb05c0f70c1746c2e68654 zsps.zip