DustyFound a new? fake browser update that has a currently broken click location. I don't know how long it has been around, but it is not one of the currently tracked clusters.
Example Triage https://tria.ge/231004-ll7kpsce52/behavioral1
Randy@GustyDusty Agreed, this looks new. I've not noticed it. At the moment I'm getting a 500 on the index.php.
@rmceoin Looks like it is also hosting a weird page in russian
https://urlscan.io/result/22ee5f26-af0b-419a-ae24-79c038252727/
https://urlscan.io/result/22ee5f26-af0b-419a-ae24-79c038252727/
@GustyDusty tracing from here
https://urlscan.io/result/afaeef54-0c29-4712-b950-287638779e1a/#transactions
There's an earlier host used:
verifiedtourist[.]com
@GustyDusty I had assumed that the verifiedtourist also did fakeupdate, but no, it's got some crypto scam instead.
So onlinecasinopinup is used for crypto scam or fake update based on the /path used.
/bro for crypto, which seems fitting
/main for fake update
Just realized saying "crypto scam" is a bit redundant.
@rmceoin The original one I found was different, so there are at least 2 injects filtering domains doing it. Decodes to hxxps[://]s127581-statspixel[.]com/main
@GustyDusty Got a response from the download url.
christopherchabannes[.]com/download/dwnl.php
It did a 302 to here:
aspminube[.]com/temp/Chrome-x64.msix
@GustyDusty it uses this which looks just like a domain you pointed out ClearFake lead to.
fresh-prok[.]site
So maybe related to ClearFake. At least that part of the infrastructure.
https://infosec.exchange/deck/@GustyDusty/111018175913885319
@rmceoin I think that is also used in a bunch of malvertising. @jeromesegura might know more about it.
Jérôme Segura@GustyDusty @rmceoin that fresh-prok was involved in FakeBat loader I believe