Sophos MDR has observed quite the uptick in #chromeloader infections. We found one instance where the infection stemmed from a fake Youtube Video Downloader site.

🔎 Google search:download youtube video
➡️ User lands on hxxps://10downloader[.]com/en/51
➡️ User attempts to download a specific video
➡️ Redirection to hxxps://heinndoorh[.]com
➡️ Redirection to hxxps://llyighaboveth[.]com
➡️ Redirection to hxxps://adtwobrightsa.info/12557074
⬇️ Downloads the sample Your File Is Ready To Download.exe

This often leads to the creation of a schtask such as \chrome display, \chrome disp, \chrome profile, and many more.

Encoded powershell is invoked to create a registry key under HKCU:\Software\ with various paths such as:

• AudioConverterStudio
• FoxitSoftware
• KCSoftwares
• DTSoft
• BinaryFortressSoftware

#threatintel

#Qakbot BB22 malspam distribution is firing on all cylinders

Infection chain:
thread-hijacked email -> attachment (.pdf) -> embedded url -> archive download (pass-protected .zip) -> wscript (.wsf) -> rundll32 (.dll) -> C2 activity

Links embedded within the PDF files:

• hxxps://baladnahalal[.]com/mmpp/mmpp.php
• hxxps://mimarpro[.]com/dn/dn.php
• hxxps://africastories.net/uso/uso.php

.dll files staged under %appdata%\local\temp\

And as expected with Qakbot, the payload URLs are routinely changing.

.zip passwords:
3/4/2023 -> 721
3/5/2023 -> 755

Sophos has observed some #RecordBreaker / #RaccoonStealer activity following a search for cracked software.
🔎 Google Search: fences download crack
Cracked Software Site:
➡️ hxxps[://]pesktop[.]com/en/windows/stardock_fences_setup
Download Button + Instructions:
➡️ hxxps[://]adainstaller[.]com/aofiler/<>-pesktop[.]php

Redirection Chain:
↪️ hxxps[://]xdrt656y[.]cfd/?i=Also-Download-its-Full-Activator&u=<>&site=hxxps[://]tinyurl[.]com
↪️ hxxps[://]href[.]li/?hxxps[://]vghu896yh[.]cfd/?56_56=<>&file=Also-Download-its-Full-Activator&h={pubid}
↪️ hxxps[://]vghu896yh[.]cfd/?56_56=<>&file=Also-Download-its-Full-Activator&h={pubid}
↪️ hxxps[://]href[.]li/?hxxps[://]bit[.]ly/New_FullLatestFile--Here
↪️ hxxps[://]bit[.]ly/New_FullLatestFile--Here
↪️ hxxps[://]href[.]li/?hxxps[://]www[.]mediafire[.]com/file/xkv5ulf2kwf7roo/Use-2022_As_PasW0rD-LatestFile-L4[.]rar/file
⬇️ hxxps[://]www[.]mediafire[.]com/file/xkv5ulf2kwf7roo/Use-2022_As_PasW0rD-LatestFile-L4[.]rar/file

Sample: https://www.virustotal.com/gui/file/b01c4534af8c636a787c821e14a5f85890eb78906f4390fb0a8ee2f65b4ab961/relations
PE: a44b78a4cf37bf69a8b750d0a057c228f6bf80362911911950044638c2a2f462

Communicates via port 80 to C2:
hxxp://79.137.197[.]190/45c8e6f57dca0fdb5db9c679b502e12b
#threatintel #infostealer

It seems that hosting malware on #Google is the trend over the past few months.

Putting the #malvertising campaigns aside, #Sophos has observed #RedLine stealer activity that was distributed via a redirect on YT.

Redirection chain:

Analysis of the #infostealer revealed the following:

• Performs proc injection into InstalUtil.exe
• Collects the following data:
  • Various browser/cookie data
  • local FTP client data
  • VPN app data
  • Steam login data
  • Crypto-wallet data
•  Checks victim region in stored Country List
•  Exfils data back to 49.12.184[.]163

Fortunately, Google has been quick on their feet to take down the reported video in question.

#threatintel

Decided to make a way to dynamically generate visualizations in Jupyter Notebook with #python and #graphviz!

Here is a dynamic generation for #IcedID campaigns

#threatintel

Sophos has observed a newly registered domain distributing #RedLine Stealer, which is masquerading as Notepad++.
This appears to be another case of #malvertising via Google advertisements

↪️ User downloaded \downloads\notepadinstall_10.zip from the domain obsfldx[.]xyz (https://www.virustotal.com/gui/domain/obsfldx.xyz)
Unzipped mal archive with 7zip: \downloads\notepadinstall_10.zip
➡️ Executes the binary: \downloads\notepad++install\notepad++ install.exe
➡️ Calls Visual Basic lolbin: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
📶 Communicates with the IP: 162.251.62[.]99

The IP address has already been flagged in ThreatFox collection: https://www.virustotal.com/gui/ip-address/162.251.62.99/community

The #IcedID campaign mimicking the IRS, hosting fake W-9 forms

🔎​ Google search for "irs refund status"
↪️​ aqeroaler[.]online (redirect)
↪️​ www-irs-forms[.]top/forms-pubs/about-form-w-9/

#IcedID appears to be ramping up its #malvertising activity today. Sophos has observed a new TeamViewer themed lure site in the following infection chain:

🔎​ Google search for "team viewer"

↪️​ qweiaoer[.]online (redirect)
↪️​ wwwteamviewer[.]top/en/products/teamviewer/
⬇️​ Download of malware from Firebase (.zip containing .iso)
- Downloads\Setup_Win_19-12-2022_19-10-51.zip
- %APPDATA%\Local\temp\Temp1_Setup_Win_19-12-2022_19-10-51.zip\Setup_Win_19-12-2022_19-10-51.iso

The .ISO file contains a shortcut that executes the following cmdline:
- "C:\Windows\System32\rundll32.exe" \ionroe.dat,init

#IcedID C2:
- 143.198.92[.]88 / trbiriumpa[.]com

#IOCs
- ionroe.dat -> https://www.virustotal.com/gui/file/90551d31eb982f6e35514e0d028465f9699b21fccdc3e7a1ca53f839b5055a98/community

Related posts to this campaign:

• https://infosec.exchange/@ian_kenefick/109542172511857135 (lure domains)
• https://infosec.exchange/@ian_kenefick/109541997060213830 (IcedID C2 domains)
• https://infosec.exchange/@th3_protoCOL/109541877013406517 (webex lure site)
• https://infosec.exchange/@th3_protoCOL/109542105661232995 (slack lure site)