Jérôme SeguraI wrote a quick blog post on this ongoing #malvertising campaign disguised as Google Authenticator and using.... Google ads.
| X | http://offensive-intel.com |
Germán Fernández 
@1ZRR4H@infosec.exchange
- 120 Followers
- 18 Following
- 34 Posts
🏴☠️ OFFENSIVE-INTEL 🏴☠️ Cyber Threat Intelligence by Hackers | Security Researcher en CronUp.com | @CuratedIntel Member | 🥷🧠🇨🇱
Colin CowieGoogle #malvertising impersonating google authenticator
🎣 chromeweb-authenticators[.]com
📂 "Authenticator.exe"
Delivers digitally signed malware with a low detection ratio on #virustotal
🚨 Watch out, threat actors are exploiting another GitHub feature related to the commenting and notification system.
With the above, they manage to deliver #phishing emails through the legitimate account "notifications@github[.]com". In addition, the sender's name can be manipulated by renaming the attacker's GitHub account.
Two campaigns seen:
1⃣ New Gitloker attacks wipe GitHub repos in extortion scheme > https://bleepingcomputer.com/news/security/new-gitloker-attacks-wipe-github-repos-in-extortion-scheme/
2⃣ Crypto scams on GitHub > https://github.com/orgs/community/discussions/83803
James Forshaw 
Damn, I really thought the Recall database security would at least be, you know, secure. Turns out Microsoft did pretty much what I blogged about for WindowsApps, except you need to find a specific WIN://SYSAPPID instead. So to bypass the security just get the token for the AIXHost.exe process, then impersonate that and you can access the database, no admin required. Or, as the files are owned by the user, just grant yourself access using icacls etc :D
🚩 Active #RemcosRAT campaign is distributed via GitHub through abuse of comments in legitimate repositories.
Some malicious links:
- https://github[.]com/ustaxes/UsTaxes/files/15421286/2022and2023TaxDocuments[.]zip
- https://github[.]com/ustaxes/UsTaxes/files/15419438/2023TaxDocuments[.]zip
- https://github[.]com/PolicyEngine/policyengine-us/files/15487603/2023.TAX.ORGANIZER.pdf[.]zip
- https://github[.]com/hmrc/claim-tax-refund/files/15487332/TaxrefundlistPDF[.]zip
They also got creative and registered the user "user-attachments" on GitHub 😄
- https://github[.]com/user-attachments/files/15592343/Rachel.Completed.Organizer.Season.TAX.2023[.]zip
Remcos C2 servers:
- pattreon.duckdns[.]org:7035
- deytrycooldown.duckdns[.]org:7070
- newlink.duckdns[.]org:5111
* Botnet: RemoteHost
FIN7 #malvertising #threatintel
concuur[.]net
concuur[.]org
concuur[.]com
concur2024[.]com
96dfb6337647d890875919334a8dfc1f8f6e887f4b9ff6afedfb3574c7b444a3
SECUINFRA Falcon TeamToday: Detecting the "qBit Stealer" exfiltration tool
qBit Stealer was developed by the "qBit #Ransomware-as-a-Service" group to exfiltrate victim data to the MEGA file sharing service. It is implemented in #Golang.
About two months ago the source code of qBit Stealer was published on BreachForums for anyone to use and repurpose (Image 1).
Based on the source code and the sample shared by @1ZRR4H (https://twitter.com/1ZRR4H/status/1751656174515098023), we created a YARA rule to look for qBit Stealer samples (Image 2).
Interestingly, most of the in-the-wild samples contain build artifacts of the "XFiltr8" variant, compiled by a user named "187ir".
We only found two other public samples that contain different path artifacts (Image 3).
Paths and hashes:
C:/Users/187ir/Golang-Projects/XFiltr8/Builder/XFiltr8.go
089ba2fb4eaa13b572ba558288592ed9
de2e25d217d28d1f360068048b5e4d54
bef9a0031387e0841166d41b047f8a13
fec2f286abc06554f68e5586a44662d5
03a18e5842e08a32d08703fe0c563687
e3211f650d932848a544d4da6f9fd599
1e6dca21cb0249525375e87358ff4fbc
4738ddef9cc4cd33dbbd616c722d5f46
97d87da8e4b22863681ef8eeef685826
C:/Users/benign_os/Desktop/malware_samples/3086/SMW3086/payloads/windows/qBitStealer/qBitStealer.go
f06c4a0af2181eb43a7b3763e8f5d5ea
C:/Users/lilia/Downloads/Telegram Desktop/qBitStealer/qBitStealer.go
b4247d41d89972d3a3cf34bca30c16f1
Samples will be shared via @abuse_ch Malware Bazar
The rules will be pushed to the 100DaysOfYARA and our detection repo :)
🍪
Germán Fernández (@1ZRR4H) on X
#opendir https://91.92.254.14/ "XFiltr8.exe" appears to be an exfiltration tool (written in Go) that uses MEGA services for storage via g.api.mega.]co.]nz. [+] https://t.co/T3dWYx5Elk ▪ "C:/Users/187ir/Golang-Projects/XFiltr8/Builder/XFiltr8.go" "Helpertask.exe" is #AsyncRAT…
Malicious slack ad leading to #Pikabot malware ⚠️ Pikabot is closely associated with ransomware intrusions.
Redirection Infrastructure:
slalk.onelink[.]me
anewreseller[.]top
Fake Site:
siack.ovmv[.]net
.msi payload hosted on dropbox:
https://www.virustotal.com/gui/file/f1bc547091f9a2447fd16c804aa568707ca323e3d20c90e5568b303480ae7a03
Malicious advertisement spoofing zooms website⚠️
Redirects the user to a fake site:
zoomus.onelink[.]me ->
zoonn.virtual-meetings.cn[.]com
Downloads .msix payload and launches it with ms-appinstaller:
ms-appinstaller:?source=https[:]//scheta[.]site/apps.store/ZoomInstaller.msix
Drops digitally signed malware "install.exe" (GlobalSign Code Signin)
Delivers #Batloader payload
#IOCs
🔗 https://www.virustotal.com/gui/file/462df2e4a633e57de0d5148060543576d7c1165bf90e6aec4183f430d8925a1c/
🔗 https://www.virustotal.com/gui/file/48aa2393ef590bab4ff2fd1e7d95af36e5b6911348d7674347626c9aaafa255e
How can anyone reasonably expect a user to detect google ad abuse without visiting the malicious site?
Here's an example of a malicious google ad spoofing anydesk today.
This one redirects users to https[:]//anyowpdesk[.]com before downloading .msi malware:
https://www.virustotal.com/gui/file/9d85ae9e45556067d0b833144e7d9935936a3a3098fe65fc198409083a3a33a6/relations
SoonerMedic