mithrandir

@[email protected]
114 Followers
62 Following
240 Posts
Malware Analysis
mithrandirAug 31, 2023
Jérôme SeguraAug 30, 2023

I made this page to track current fake browser updates campaigns:

https://github.com/malwareinfosec/malwareinfosec.github.io/blob/main/Web/FakeBrowserUpdates/fakebrowserupdates.md

#SocGholish #FakeSG #Clearfake #SmartApeSG #threatintel

malwareinfosec.github.io/Web/FakeBrowserUpdates/fakebrowserupdates.md at main · malwareinfosec/malwareinfosec.github.io

website. Contribute to malwareinfosec/malwareinfosec.github.io development by creating an account on GitHub.

GitHub
Show threadmithrandirAug 21, 2023

@GustyDusty Agreed, if earlier in the infection chain I pass it characteristics of a non-domain joined device, I end up with a different payload.

They must do some sort of checking once the beacon is in place though, because I can't get the Cobalt Strike beacon to drop. I imagine my IP or other characteristics are not convincing enough.

mithrandirAug 17, 2023
Colin CowieAug 17, 2023

newest #solarmarker infostealer malware:

https://www.virustotal.com/gui/file/250fe7be536bb8674dd7e0e7c4de2ca1e3311ed657181d950dda6590a3bded51/details

#SEOPoisoning -> Fake Sites -> download via diggiski[.]com

VirusTotal

VirusTotal

mithrandirAug 17, 2023
Jérôme SeguraAug 17, 2023

If you are interested in steganography and browser fingerprinting, I wrote a follow up blog on a scam campaign that I've tracked for several years.

Reproducing & capturing this attack chain is quite difficult because of the number of checks performed. No doubt it contributes to why this scheme is working so well.

https://www.malwarebytes.com/blog/threat-intelligence/2023/08/wooflocker2

Catching up with WoofLocker, the most elaborate traffic redirection scheme to tech support scams

Back in January 2020, we blogged about a tech support scam campaign dubbed WoofLocker that was by far using the most complex...

Malwarebytes
Show threadmithrandirAug 16, 2023
@jeromesegura It really is. Good lesson for me not to assume the site hadn't been fully set up yet and to keep digging!
Show threadmithrandirAug 16, 2023

@jeromesegura

Great writeup. I had recently been stumped by exactly the scenario you've outlined.

mithrandirAug 16, 2023
Jérôme SeguraAug 16, 2023

If you track #malvertising campaigns, you may need to adjust your environment to account for more advanced fingerprinting techniques.

More details in this blog: https://www.malwarebytes.com/blog/threat-intelligence/2023/08/malvertisers-up-the-game-against-researchers

Malvertisers up their game against researchers

Malicious ads via search engine results page are getting harder to identify thanks to advanced fingerprinting techniques

Malwarebytes
mithrandirAug 15, 2023
Monitor SGAug 15, 2023

New #SocGholish C2:

hXXps://bvpix.photo.beyoudcor[.]com/editContent
bvpix.photo.beyoudcor[.]com
185[.]225.70.190

mithrandirAug 10, 2023
Jérôme SeguraAug 10, 2023

Added #EKFiddle rules to detect Google DNS injections used in tech support scam redirects.

Based on this Sucuri blog: https://blog.sucuri.net/2023/08/from-google-dns-to-tech-support-scam-sites-unmasking-the-malware-trail.html

https://github.com/malwareinfosec/EKFiddle

From Google DNS to Tech Support Scam Sites: Unmasking the Malware Trail

Bad actors are elevating their malware campaigns by leveraging the DNS protocol to hide requests to their infrastructure. Learn how hackers are injecting malicious JavaScript to send requests to Google DNS, then using the responses to redirect users to tech support scams and adult websites.

Sucuri Blog
Show threadmithrandirAug 10, 2023
@Pug Hm, good idea. I hadn't tried that at the beacon level. That could certainly be why I'm not getting any response past what seems to be somewhat automated filtering.