Mastodawn

mithrandir Aug 31, 2023

Jérôme Segura Aug 30, 2023

I made this page to track current fake browser updates campaigns:

https://github.com/malwareinfosec/malwareinfosec.github.io/blob/main/Web/FakeBrowserUpdates/fakebrowserupdates.md

#SocGholish #FakeSG #Clearfake #SmartApeSG #threatintel

malwareinfosec.github.io/Web/FakeBrowserUpdates/fakebrowserupdates.md at main · malwareinfosec/malwareinfosec.github.io

website. Contribute to malwareinfosec/malwareinfosec.github.io development by creating an account on GitHub.

GitHub

mithrandir Aug 17, 2023

Colin Cowie Aug 17, 2023

newest #solarmarker infostealer malware:

https://www.virustotal.com/gui/file/250fe7be536bb8674dd7e0e7c4de2ca1e3311ed657181d950dda6590a3bded51/details

#SEOPoisoning -> Fake Sites -> download via diggiski[.]com

VirusTotal

mithrandir Aug 17, 2023

Jérôme Segura Aug 17, 2023

If you are interested in steganography and browser fingerprinting, I wrote a follow up blog on a scam campaign that I've tracked for several years.

Reproducing & capturing this attack chain is quite difficult because of the number of checks performed. No doubt it contributes to why this scheme is working so well.

https://www.malwarebytes.com/blog/threat-intelligence/2023/08/wooflocker2

Catching up with WoofLocker, the most elaborate traffic redirection scheme to tech support scams

Back in January 2020, we blogged about a tech support scam campaign dubbed WoofLocker that was by far using the most complex...

Malwarebytes

mithrandir Aug 16, 2023

Jérôme Segura Aug 16, 2023

If you track #malvertising campaigns, you may need to adjust your environment to account for more advanced fingerprinting techniques.

More details in this blog: https://www.malwarebytes.com/blog/threat-intelligence/2023/08/malvertisers-up-the-game-against-researchers

Malvertisers up their game against researchers

Malicious ads via search engine results page are getting harder to identify thanks to advanced fingerprinting techniques

Malwarebytes

mithrandir Aug 15, 2023

Monitor SG Aug 15, 2023

New #SocGholish C2:

hXXps://bvpix.photo.beyoudcor[.]com/editContent
bvpix.photo.beyoudcor[.]com
185[.]225.70.190

mithrandir Aug 10, 2023

Jérôme Segura Aug 10, 2023

Added #EKFiddle rules to detect Google DNS injections used in tech support scam redirects.

Based on this Sucuri blog: https://blog.sucuri.net/2023/08/from-google-dns-to-tech-support-scam-sites-unmasking-the-malware-trail.html

https://github.com/malwareinfosec/EKFiddle

From Google DNS to Tech Support Scam Sites: Unmasking the Malware Trail

Bad actors are elevating their malware campaigns by leveraging the DNS protocol to hide requests to their infrastructure. Learn how hackers are injecting malicious JavaScript to send requests to Google DNS, then using the responses to redirect users to tech support scams and adult websites.

Sucuri Blog

mithrandir Aug 10, 2023

#SocGholish is currently delivering a JS based beacon.

I've been attempting use an AD lab environment to coax responses from the C2.

So far I have only received the following commands, which are sometimes delivered together, and sometimes delivered separately:

nltest /dclist:
nltest /domain_trusts
cmdkey /list

Once my victim machine responds with the command outputs, the C2 either kills the WScript process with another response, or just doesn't respond at all.

My bait must either not be attractive enough or not disguised well enough..

mithrandir Aug 9, 2023

Sophos X-Ops Aug 9, 2023

After a three-months long investigation into four ransomware attackers from the first half of 2023, Sophos X-Ops has uncovered new connections between Black Basta, Hive, and Royal Ransomware based on granular similarities in the forensics of the attacks.