Watch out as new research shows SocGholish Malware as Service (MaaS) is exploiting compromised websites and fake software updates to push ransomware and infostealers worldwide.

Read: https://hackread.com/socgholish-malware-compromised-sites-ransomware/

#SocGholish #Malware #FakeUpdates #Ransomware #InfoStealer

With access to one of the largest, most diverse data sets in all of cybersecurity, Proofpoint is dedicated to tracking and reporting threat actors and their evolving TTPs. This research blog (brnw.ch/21wQMTw) is packed full of new threat insights including...

🔍 #TA2726 and#TA2727, two new cybercriminal threat actors who operate components of web inject campaigns.

🔍 #FrigidStealer, a new info stealer for Mac computers delivered alongside malware for Windows and Android hosts.

See our blog for full details, Emerging Threats signatures, and IOCs.

#FakeUpdates #socialengineering #MacOS #TA569 #SocGholish

2024-12-17 (Tuesday): #SmartApeSG injected script leads to fake browser update page, and that page leads to a #NetSupport #RAT infection.

Just like my last post here, there are 2 injected scripts in a page from the compromised site, one using using depostsolo[.]biz and one using tactlat[.]xyz.

A #pcap of the infection traffic, associated malware samples and more information is available at https://www.malware-traffic-analysis.net/2024/12/17/index.html

NetSupportRAT C2 for this campaign continues to be 194.180.191[.]64 since as early as 2024-11-22.

#FakeUpdates #NetSupportRAT

Clicking This Fake Chrome Update Could Drain Your Bank Account and Leak Your Location https://lifehacker.com/tech/android-malware-poses-as-chrome-update-steals-bank-info-location-call-history

Clicking on fraudulent updates can lead to serious consequences. This deceptive tactic, often used by cybercriminals, is designed to steal sensitive information like bank details, location data, and call history.

#CyberSecurity #MalwareProtection #OnlineSafety #FakeUpdates #DataPrivacy #CyberThreats #InternetSecurity #ProtectYourself #StaySafe #TechAlerts

Another new #FakeUpdates group seen. Not the typical popup, this time just a localized one on the screen. The domain serving the fake update is:
cdnreport[.]net

I wasn't able to get served, but looking through URLScan reports, there was a hit for dropping a MacOS Stealer:
https://urlscan.io/result/e4a10dd9-ffe0-40d6-a0e5-fdcfb1a0a3a9/

Hash: 5ca22e4ca383f0d7a769795720414c4c6fe9c24c20c85a56570fe022c57bd6f9

Cross posting from eSentire Threat Intel on Twitter, curious if anyone has seen this yet.

The payload they listed is tagged by Mandiant as UNC4536 on VT, which is associated with eugenloader, which makes sense given the payload here. Very interesting switch from them to do a fake update compared to their usual delivery by camping on web forums.

https://twitter.com/esthreat/status/1778121392933794299?s=46&t=HKDXXwkgNa-X1sZatgSsHQ

“eSentire's Threat Response Unit has observed #FakeBat loader🦇 being distributed via #FakeUpdates, ultimately leading to #LummaC2 infection via a custom-written PaykRunPE provided by the FakeBat Threat Actors.
@eSentire

✅ MSIX payload: UpdateSetup-x86.msix (MD5: 569d206636b75c33240ba4c1739c04d6)
✅ Initial check-in with C2: hxxps://utm-msh[.]com/profile/
✅LummaC2: awardlandscareposiw[.]shop
✅LummaC2 LID: G5nXy1--“

There's a new player in the 'fake updates' arena. Thanks to @rmceoin for initially posting about it here.

Blog link: https://www.malwarebytes.com/blog/threat-intelligence/2023/07/socgholish-copycat-delivers-netsupport-rat

#FakeUpdates #FakeSG #SocGholish

I've published the second in a series of blog posts on SocGholish related activity. The latest installment focuses on breaking down the fake update payload itself.

https://rerednawyerg.github.io/malware-analysis/socgholish_part2/

#socgholish #malware #intel #fakeupdates