DustyFound a new? fake browser update that has a currently broken click location. I don't know how long it has been around, but it is not one of the currently tracked clusters.
Example Triage https://tria.ge/231004-ll7kpsce52/behavioral1
Randy@GustyDusty Agreed, this looks new. I've not noticed it. At the moment I'm getting a 500 on the index.php.
@rmceoin Looks like it is also hosting a weird page in russian
https://urlscan.io/result/22ee5f26-af0b-419a-ae24-79c038252727/
https://urlscan.io/result/22ee5f26-af0b-419a-ae24-79c038252727/
@GustyDusty tracing from here
https://urlscan.io/result/afaeef54-0c29-4712-b950-287638779e1a/#transactions
There's an earlier host used:
verifiedtourist[.]com
@GustyDusty I had assumed that the verifiedtourist also did fakeupdate, but no, it's got some crypto scam instead.
So onlinecasinopinup is used for crypto scam or fake update based on the /path used.
/bro for crypto, which seems fitting
/main for fake update
Just realized saying "crypto scam" is a bit redundant.
@rmceoin The original one I found was different, so there are at least 2 injects filtering domains doing it. Decodes to hxxps[://]s127581-statspixel[.]com/main
@GustyDusty Got a response from the download url.
christopherchabannes[.]com/download/dwnl.php
It did a 302 to here:
aspminube[.]com/temp/Chrome-x64.msix
@GustyDusty it uses this which looks just like a domain you pointed out ClearFake lead to.
fresh-prok[.]site
So maybe related to ClearFake. At least that part of the infrastructure.
https://infosec.exchange/deck/@GustyDusty/111018175913885319
@rmceoin I think that is also used in a bunch of malvertising. @jeromesegura might know more about it.
Jérôme Segura@GustyDusty @rmceoin that fresh-prok was involved in FakeBat loader I believe
@GustyDusty checking up on your find I see they've compromised a fresh batch of sites.
https://urlscan.io/search/#onlinecasinopinup.xyz
When I check them, they're all very simple injections pointing to the /bro crypto. But currently I'm not getting any response from it.
Of note is that one of the sites also has an active SmartApeSG. Curious. The payload from the other day had a ClearFake related domain. Maybe all the same TA just trying different techniques.