Completed Part 3 of my personal #SocGholish series.

The article digs into the follow-up payloads delivered once the Update.js is executed on a victim machine.

Interestingly, I saw #NetSupport RAT and an unknown (to me) PowerShell C2 beacon be delivered together.

If anyone can shed more light on what the PowerShell beacon may be, it would be much appreciated! Seems to be inspired by #AsyncRAT, though.

Big thanks to @rmceoin for help along the way.

https://rerednawyerg.github.io/posts/malwareanalysis/socgholish_part3

Malvertisers targeting "AI image generation" keywords 🤖​🎨​

1️⃣​ Search for "AI image generator"
2️⃣​ Ad for fake Meta messenger page
aisystemit[.]online
3️⃣ ​Download click & redirect involving iplogger[.]com
➡️​ .exe download from DropBox

Can anyone identify the family of malware being dropped here?

🔗 https://www.virustotal.com/gui/file/28eb7478cdf53820a76b8aac0d5f1755f5d4ee105b1a457f76f21312ae8d2389/content (file)
🔗​ https://www.virustotal.com/gui/url/9faac0ecbfcaa0ed9747043ec00147a7b22520a849b1932ee16c397fdfa117c2/details (URL)

#Malware, #CTI, #Malverting, #iocs

So, this is interesting. On Tuesday I saw Facebook send a user to a fake Sam's Club site. Today the same user had Facebook send them to a fake Wayfair site.

If you shop and pick out something it runs you through a realistic billing page that leads to a Stripe page that'll send the money to some "DATUSSON SUPPLY LLC" who has a really handy phone number of 201-555-0123.

chairs-room[.]shop
howed[.]shop