Jérôme SeguraAug 10, 2023

Added #EKFiddle rules to detect Google DNS injections used in tech support scam redirects.

Based on this Sucuri blog: https://blog.sucuri.net/2023/08/from-google-dns-to-tech-support-scam-sites-unmasking-the-malware-trail.html

https://github.com/malwareinfosec/EKFiddle

From Google DNS to Tech Support Scam Sites: Unmasking the Malware Trail

Bad actors are elevating their malware campaigns by leveraging the DNS protocol to hide requests to their infrastructure. Learn how hackers are injecting malicious JavaScript to send requests to Google DNS, then using the responses to redirect users to tech support scams and adult websites.

Sucuri Blog
Jérôme SeguraMar 14, 2023

Added #EKFiddle detection rules for new #Magecart skimmer.

entrydelt[.]sbs/check[.]js
entrydelt[.]sbs/loader[.]min[.]js
flagmob[.]quest/id[.]min[.]js
flowit[.]pics/logg[.]min[.]js
prijetech[.]shop/ww[.]min[.]js
sanpatech[.]shop/techs[.]min[.]js
vitalmob[.]pics/pre-loader[.]js

https://github.com/malwareinfosec/EKFiddle

GitHub - malwareinfosec/EKFiddle: Your Swiss Army knife to analyze malicious web traffic based on the popular Fiddler web debugger.

Your Swiss Army knife to analyze malicious web traffic based on the popular Fiddler web debugger. - GitHub - malwareinfosec/EKFiddle: Your Swiss Army knife to analyze malicious web traffic based on...

GitHub
Jérôme SeguraDec 1, 2022

Some updates to #EKFiddle (Fiddler extension for web traffic analysis)

- Set your own custom (fake) referer
- New upstream proxy UI (change external IP address)

https://github.com/malwareinfosec/EKFiddle

GitHub - malwareinfosec/EKFiddle: Your Swiss Army knife to analyze malicious web traffic based on the popular Fiddler web debugger.

Your Swiss Army knife to analyze malicious web traffic based on the popular Fiddler web debugger. - GitHub - malwareinfosec/EKFiddle: Your Swiss Army knife to analyze malicious web traffic based on...

GitHub
Jérôme SeguraNov 28, 2022

Lots of changes with #SocGholish recently.

There are some new URI patterns (no more report?r=).

Updated regexes for Fiddler's #EKFiddle extension can be found here: https://github.com/malwareinfosec/EKFiddle

GitHub - malwareinfosec/EKFiddle: Your Swiss Army knife to analyze malicious web traffic based on the popular Fiddler web debugger.

Your Swiss Army knife to analyze malicious web traffic based on the popular Fiddler web debugger. - GitHub - malwareinfosec/EKFiddle: Your Swiss Army knife to analyze malicious web traffic based on...

GitHub
Jérôme SeguraNov 9, 2022

Nice blog by Ben from #Sucuri:
https://blog.sucuri.net/2022/11/massive-ois-is-black-hat-redirect-malware-campaign.html

Hacked sites are redirecting to bogus Q&A pages.

They also abuse a Google open redirect.

Rules for #EKFiddle updated to detect this campaign: https://github.com/malwareinfosec/EKFiddle

Massive ois[.]is Black Hat Redirect Malware Campaign

Learn how attackers are redirecting WordPress website visitors to fake Q&A sites via ois[.]is. Nearly 15,000 websites affected by this malware so far.

Sucuri Blog
Scott Bollinger / @kfalconspbApr 9, 2017
#EKFiddle v0.2: New VPN GUI to connect to multiple VPN servers via .ovpn files. https://github.com/malwareinfosec/EKFiddle pic.twitter.com/qPBzR1Orqb