MalasadaTech

@[email protected]
18 Followers
35 Following
154 Posts

ALOHA! This is my "Independent Researcher" persona. I post about things that I enjoy researching and analyzing during my personal time.

"Views are my own, not my employer’s. All research is done independently, on personal time and resources. Tools or references used are unaffiliated with my employer."

Webhttps://malasada.tech
Show threadMalasadaTechNov 19, 2024

Two more on today's check. Pretty cool.

bajcgicdiinbegb[.]top
cfverclsid[.]top

MalasadaTechNov 17, 2024

Testing out Chris Duggan's DNS Coffee workflow (https://x.com/TLP_R3D/status/1845446668549775372) to search for new TA582 domains.

New #TA582 domains observed via the workflow:

pbizntettbvs[.]top
rigzuvzi3bnz3[.]top
robnzuwubz[.]top

Chris Duggan (@TLP_R3D) on X

🧵Thread / 🕵️‍♂️ Ever wanted to hunt down APTs like #TheCom via DNS but can't be bothered with all the searching and clicking? Want to get a list of interesting 'live' domains to investigate in under 60 seconds ⏰!! No worries! Let's automate the process with a Python script

X (formerly Twitter)
Show threadMalasadaTechNov 7, 2024

Thanks @crep1x for the original post that inspired me to monitor for this!

https://x.com/crep1x/status/1850965395114508452

crep1x (@crep1x) on X

Infrastructure distributing #NetSupport RAT remains active, currently using fake 7-Zip webpages MSIX > PS1 > NetSupport C2: 91.149.232.]112 Infra: 7zip10-2024.]life 7zip10-2024.]live 7zip2024.]one meetgo2024.]life 38.180.141.]203 85.209.134.]45 ⬇️ https://t.co/9fSPN4GFo1

X (formerly Twitter)
MalasadaTechNov 7, 2024

7-Zip #FakeApp observed serving #NetSupportRat

https[:]//7zlp2024[.]shop

>>

0511file24.msix (b3a95ec7b1e7e73ba59d3e7005950784d2651fcd2b0e8f24fa665f89a7404a56)

MGJFFRT466
NSM301071

62.76.234[.]49:443

MalasadaTechNov 6, 2024

Observed a few possible upcoming #KeitaroTDS domains via Silent Push. Found in research, not observed in any compromised sites yet. #SocGholish #TA569.

designinteractiveplatform[.]club
ajaxapiendpoint[.]cloud
codingmastermindhub[.]club
apivuecomponent[.]com

MalasadaTechNov 3, 2024

Observed a new beginning part of the delivery chain for #LandUpdate808

hxxps[:]//mercro[.]com/web-metrics.js

Found in Silent Push. Can't get the next part yet.

https://urlscan.io/search/#mercro.com

Search - urlscan.io

urlscan.io - Website scanner for suspicious and malicious URLs

Show threadMalasadaTechSep 22, 2024
Just updated WHOIS on 20SEP24...
Show threadMalasadaTechSep 22, 2024
https://app.any.run/tasks/9ff35f76-ec61-4458-9e0a-880aa6391c68
Analysis edgeupgrade.com No threats detected - Interactive analysis ANY.RUN

Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.

MalasadaTechSep 22, 2024

Edge-themed Fake Update:

edgeupgrade[.]com

Clicking the update button serves hxxps[:]//elrifeno[.]com/temp/Install_x64.exe (44faed020d5d8b29918a3f02d757b2cfada67574cf9e02748ea7f75ba5878907)

This is related to the other fake update sites below that ET is already tracking:

updatechrllom[.]com
mozilaupgrade[.]com
javadevssdk[.]com

MalasadaTechSep 2, 2024

Possible upcoming #SmartApeSG domain found in research, not from anything injected into a compromised site.

ixiapartner[.]com/cdn-vs/original.js

theonerealsolution[.]com/cdn-vs/main.php (Gleaned from original.js)

ixiapartner[.]com/cdn-vs/data.php (B64 ZIP with NetSupport)

ZIP SHA256: 0ecb6f595440040d3b91d220efba1be83db98201be5dbdc98eb1268439f17c4f
194[.]180.191.183:443 (XMLCTL, NSM303008)