Completed Part 3 of my personal #SocGholish series.

The article digs into the follow-up payloads delivered once the Update.js is executed on a victim machine.

Interestingly, I saw #NetSupport RAT and an unknown (to me) PowerShell C2 beacon be delivered together.

If anyone can shed more light on what the PowerShell beacon may be, it would be much appreciated! Seems to be inspired by #AsyncRAT, though.

Big thanks to @rmceoin for help along the way.

https://rerednawyerg.github.io/posts/malwareanalysis/socgholish_part3

Malvertisers targeting "AI image generation" keywords 🤖​🎨​

1️⃣​ Search for "AI image generator"
2️⃣​ Ad for fake Meta messenger page
aisystemit[.]online
3️⃣ ​Download click & redirect involving iplogger[.]com
➡️​ .exe download from DropBox

Can anyone identify the family of malware being dropped here?

🔗 https://www.virustotal.com/gui/file/28eb7478cdf53820a76b8aac0d5f1755f5d4ee105b1a457f76f21312ae8d2389/content (file)
🔗​ https://www.virustotal.com/gui/url/9faac0ecbfcaa0ed9747043ec00147a7b22520a849b1932ee16c397fdfa117c2/details (URL)

#Malware, #CTI, #Malverting, #iocs

So, this is interesting. On Tuesday I saw Facebook send a user to a fake Sam's Club site. Today the same user had Facebook send them to a fake Wayfair site.

If you shop and pick out something it runs you through a realistic billing page that leads to a Stripe page that'll send the money to some "DATUSSON SUPPLY LLC" who has a really handy phone number of 201-555-0123.

chairs-room[.]shop
howed[.]shop

So the #KeitaroTDS offers up at least two paths. One is #SocGholish that I've been tracking and the other is some notification malware that I've seen before but didn't realize they're connected.

When I go to an infected site, I only get served SocGholish. But I see when urlscan goes to it, they get this other scam. What's handy is I can go directly to the KeitaroTDS URLs associated with those scams and see that other path.

backendjs[.]org/kb3xCR3d
cancelledfirestarter[.]org/Qw6YdVL
dailytickyclock[.]org/H9nZW3yw
deeptrickday[.]org/xTHcrXYN
devqeury[.]org/XdQJSbwV
devqeury[.]org/VjCTRDTQ
jqscr[.]com/GPfymwFy
jqscr[.]com/MFkkBGCh
jqueryns[.]com/jbMbKDPn
jsqur[.]com/97rmMy8V

Anybody have a name for this notification scam?

While poking at the #KeitaroTDS used by #SocGholish I noticed a different path. Using torsocks in the hopes of getting different responses, this known #KeitaroTDS URL

dailytickyclock[.]org/Rz7kFbxJ

would return a redirect I haven't noticed.

dailytickyclock[.]org/H9nZW3yw

That in turn was redirecting to here.

greatbonushere[.]life/?u=4dkpaew&o=81yk607&cid=vi0n933mcrfi

That led to a couple of scams. Mostly I got a fake iPhone prize scam that tries to dup you into providing your address and CC info.

Pivoting off the IP for the domain out popped 78 more domains. Block them nasties! 🚫​

https://gist.github.com/rmceoin/9e3fb77686a660374409df467d9711ca