Mastodawn

2025-07-14 (Monday): #SmartApeSG script injected into page from compromised website leads to #ClickFix style fake verification page. ClickFix-ing you way through this leads to a #NetSupportRAT infection.

Compromised site:

- medthermography[.]com

URLs for ClickFix style fake verification page:

- lebensversicherungvergleich[.]top/jjj/include.js
- lebensversicherungvergleich[.]top/jjj/index.php?OtKXgPVX
- lebensversicherungvergleich[.]top/jjj/buffer.js?4261984971

Running the script for NetSupport RAT:

- affordableasphalt-paving[.]com/lal.ps1
- affordableasphalt-paving[.]com/lotu.zip?l=3526

#NetSupport RAT server:

- 185.163.45[.]87:443

Show thread

Brad Jul 3

#Example 3: #TermFix

I rarely see this, and I haven't yet personally documented it. So I found an image from a Google search to illustrate.

This example is from a #TermFix style #ClickFix popup asking the viewer to open a PowerShell terminal.

Show thread

Brad Jul 3

Example 2: #FileFix

As of 2025-07-03, the #KongTuke campaign is using FileFix style #ClickFix pages to distribute whatever this campaign is distributing.

It's likely pushing #InterlockRAT based on previous discussions I've had here, but I couldn't confirm, because it didn't like me.

Show thread

Brad Jul 3

Example 1: #RunFix

As of 2025-07-03, the #SmartApeSG campaign is using RunFix style #ClickFix pages to distribute #NetSupportRAT

Brad Jul 3

#ClickFix is a social engineering technique that uses fake verification pages and clipboard hijacking to convince people to click and keyboard stroke their way to an infection. So let's categorize #FileFix properly in the pantheon of ClickFix Attacks.

FileFix: A ClickFix page that asks you to past script into a File Manager window.

#RunFix: A ClickFix page that asks you to paste script into a Run window

#TermFix: A ClickFix page that asks you to paste script into a terminal window (cmd.exe console or PowerShell terminal).

We cool with that? Any others types I'm missing?

Brad Jul 3

2025-07-02 (Wednesday): Another #LummaStealer infection with follow-up #Rsockstun #malware.

The #Lumma Stealer infection uses a password-protected 7-zip archive, a NullSoft installer, and #AutoItv3.

Malware samples, a #pcap and some IOCs are available at https://www.malware-traffic-analysis.net/2025/07/02/index.html

Brad Jun 27

2025-06-27 (Friday): I ran another #LummaStealer infection today. It was basically the same as yesterday, except for the follow-up malware.

I saw the same URL for hxxp[:]//86.54.25[.]40/sok.exe, but it returned a different file.

It generated the same type of C2 traffic over TCP port 16443, but it used a different domain for the C2 server at eset-blacklist[.]net.

Sample:

- https://bazaar.abuse.ch/sample/9dc1872510d70d954662b42c0e3bedb80e719272554efc0051cb727241a6cacb/

Sandbox analysis:

- https://www.joesandbox.com/analysis/1724473

- https://tria.ge/250627-26apgask14

- https://app.any.run/tasks/651d4998-807d-4ac2-821b-88061c288013

Brad Jun 27

2025-06-27 (Friday): #SmartApeSG infection chain leading to #ClickFix lure leading to #NetSupportRAT

URL sequence leading to ClickFix:

- palcomp3[.]top/sss/buf.js
- palcomp3[.]top/sss/index.php?GQX1KqUM
- palcomp3[.]top/sss/bof.js?19ec2a189848bc0bfa

URL sequence after running ClickFix script:

- camplively[.]com/all.php
- camplively[.]com/smks.zip?lap=3928

SHA256 hash for smks.zip archive containing NetSupport RAT package:

3be246afee53241eaa9c1f74d6720cc5d1004846ded378bd4b1040064b5631c5

NetSupportRAT C2: 185.163.45[.]30:443

cc: @monitorsg

Brad Jun 27

2025-06-26 (Thursday): #LummaStealer infection leads to follow-up loader that retrieves a pen test tool hosted on Github and configures it as #malware.

A #pcap of the infection traffic, the associated malware, and IOCs are available at: https://www.malware-traffic-analysis.net/2025/06/26/index.html

#Lumma