Cov6
Jérôme SeguraThere's a new player in the 'fake updates' arena. Thanks to @rmceoin for initially posting about it here.
Kegan Myers@jeromesegura @rmceoin SMB to any non-private IP isn’t a thing anyone should be able to do without really wanting to, you should have to change a group policy to enable it or something…
Randy@terribleplan @jeromesegura as far as I can tell WebDAV uses http not smb.
@rmceoin @jeromesegura I assumed since it was
\\$IP\$FILE that it was SMB, as WebDAV should still show as an http(s) address. I could be wrong about that though… (I am only referring to the one image that shows a “run” prompt)@terribleplan @rmceoin here’s a better look at the traffic and the protocols.
Shadow@defender @jeromesegura @terribleplan Possibly. The #SocGholish TA still first lands a JS that collects info about the victim. Up until July 17th I saw them switching to PS after that JS collection. But I haven't seen them do anything more than collect the info. Looks like this.
(Compromised site)
-->
greedyfines[.]org/GRzk7JSP (Keitaro)
-->
sandwiches.tropipackfood[.]com/I9tOCVj5LWBH+XQ7FehiK1H5dCtHvjhxUqlsdA== (SocGholish TDS)
-->
lmd.plan.gemmadeealexander[.]com/editContent (SocGholish JS C2)
Going direct to the PS hop still works for me. For example just now it does this chain.
hXXp://asfgze[.]fun/f23.svg
-->
hXXp://kedkejehiciellf[.]top/1.php (DGA)
-->
hXXp://kedkejehiciellf[.]top/2.php (DGA)
-->
hXXps://dprn0jmb1nag5t9[.]top:14235 (PowerShell C2)
The #FakeSG TA doesn't do JS or PS. They simply land NetSupport. The chain from a few minutes ago.
(Compromised site)
-->
google-analytiks[.]com/sBY76j (Keitaro)
-->
alexiakombou[.]com/wp-content/uploads/2022/01/downloader(updchr(V104.215.214)silent.url ()
-->
hXXp://185[.]252.179.64@80/Downloads/silentupdater-chr(v105).lnk ()
-->
alexiakombou[.]com/wp-content/uploads/2021/12/EN-localer.hta (HTA)
-->
hxxps://94[.]158.244.41:443 (NetSupport)
I'm wondering if the SocGholish TA is on vacation. They usually rotate parts of the chain at least once a week and I haven't seen a change since July 20th. That and the JS to PS hasn't worked since July 17th, at least not for me.
@defender @jeromesegura @terribleplan Well, the SocGholish folks are back from their break.
Monitor SG (@[email protected])
New #SocGholish #KeitaroTDS: surelytheme[.]org/ZcqVjVQ1 surelytheme[.]org 91[.]103.253.14
AAA365@jeromesegura @rmceoin I always check the http web address but with fake updates it would be harder to spot if displayed on authentic sites page. Hoping update app method bypasses getting caught out. Thank you for raising awareness of this.
@jeromesegura Great write up! I like the name. My script had a lame name fakeupdate2.py. I'll be renaming that bad boy to fakesg.py !
BTW, I noticed that the various google-analytiks sites use Keitaro just like the normal SocGholish. Seems to be a fan favorite for TAs.
google-analytiks[.]com/admin/
@rmceoin the similarities are so striking. The blog does not cover any background intel on the threat actor, but I’m hoping others come forward with additional details.
mithrandir@jeromesegura Great post!
dawid@jeromesegura @rmceoin being a zoomer, were .hta's ever used for anything but malware?
@_dawid @jeromesegura I've been around for awhile and I've never seen them used in an enterprise.
ex_raritas