Mastodawn

Dusty Dec 27, 2023

#RogueRaticate / #FakeSG delivering NetSupport RAT via Keitaro on kokokakalala[.]com:

hxxps[://]fastactionmedicalbilling[.]com/wp-content/uploads/dra/online(brswr_packageupd)0x1dscD[.]url (02f715934404288c08522ded41e5555dc4c931373e4f6b882b562a58ebc77586) ->
file[://]5[.]252[.]177[.]15@80/Downloads/packENGus-brswr[.]hta (912612f572df9256ef84ba30c9a5cd03befa4fedd48817e0d85de7ca30f2b75b)

NetSupport C2:
91.92.245[.]83:443

Show thread

Selena Larson Dec 21, 2023

Notable campaign details:

Delivery: email and #RogueRaticate fake updates
Volumes & geos: email campaigns include tens of thousands of emails targeting dozens of industries primarily in North America
Attack chain: tools like 404 TDS, Keitaro TDS, and .URL files exploiting CVE-2023-36025

Dusty Nov 27, 2023

New #FakeSG #RogueRaticate keitaro host and cookie:

jagernaut[.]com
188.208.196[.]186

cookie: 03fe2

Jérôme Segura Aug 3, 2023

#FakeSG / #RogueRaticate leading to #netsupportrat

ebodyfit[.]com/wp-content/uploads/ultimatemember/58/downloading-(114.0.522735.199%20(Official%20Build).url

ebodyfit[.]com/wp-content/uploads/ultimatemember/57/consciousnessx.hta

ebodyfit[.]com/wp-content/uploads/ultimatemember/56/housealba.zip

ebodyfit[.]com/wp-content/uploads/ultimatemember/56/clients32.exe

#threatintel #IOCs

Show thread

Randy Jul 25, 2023

They updated the LNK to point to a different HTA which in turn grabs a different NetSupport INI to point at a new gateway. Curious how frequently this group rotates the chain.

Infection chain
compromised site
google-analytiks[.]com/sBY76j
-->
hXXps://esteticalocarno[.]com/wp-content/uploads/2023/02/Install%20Updater%20(V105.215.8412_silent).url
-->
hXXp://185[.]252.179.64:80/Downloads/shdeulerinstall[.]lnk
-->
hXXps://www[.]esteticalocarno[.]com/wp-content/uploads/2018/5/XVXCSASD.hta
-->
NetSupport GatewayAddress 94[.]158.244.41:443

0e74d799e5486979f7cafb3c6bbd8fab224f882b82197eb8975818bd61cbb667 XVXCSASD[.]hta

#FakeSG #RogueRaticate

Randy Jul 24, 2023

#FakeSG is back online. URL > LNK > HTA > NetSupport.

Infection chain
compromised site
-->
google-analytiks[.]com/sBY76j
-->
esteticalocarno[.]com/wp-content/uploads/2023/02/Install%20Updater%20(V105.215.8412_silent).url
-->
hXXp://185[.]252.179.64:80/Downloads/shdeulerinstall[.]lnk
-->
www[.]esteticalocarno[.]com/wp-content/uploads/2018/04/HHYGASDBBBX.hta
-->
NetSupport GatewayAddress conluase62[.]com:5051

https://tria.ge/230724-qarsbsde69/behavioral1

#RogueRaticate