Randy

@rmceoin@infosec.exchange
470 Followers
275 Following
1.3K Posts
Tech, banjo, guitar, outdoors
#ReverseEngineering #DFIR #ThreatIntel
Githubhttps://github.com/rmceoin
Malware Analysishttps://rmceoin.github.io/malware-analysis/
RandyApr 21
One less fake browser update campaign. Not to be left out, #SmartApeSG has switched to the #ClickFix technique.
RandyOct 7, 2024

Fake Slack via #malvertising. Google search was for "slack.coml" (user was on the right track, type the domain instead of searching, but they typoed it and then clicked on the malvertisement). There's a whole bunch of other bad stuff in the git repos.

Google ad
->
tradkingview.onelink[.]me/3nFZ
->
slack.aerodrame[.]finance/
->
slack.workmeetingsapp[.]com/
->
github[.]com/fewefwfewfew/dwqfqwe/releases/download/fecfewwefewf3/Slack_Setup.exe

2b587ca6eb1af162951ade0e214b856f558cc859ae1a8674646f853661704211 Slack_Setup.exe
RandyOct 6, 2024
Seems to be mushroom season. We're seeing a variety in our area.
RandySep 30, 2024

Today's TSS redirector.

matchreal[.]online
RandySep 30, 2024

I'm back from vacation. Did I miss anything?

#beach

RandySep 9, 2024
How to make a unix greybeard unhappy.
Show threadRandyAug 26, 2024
A handy attribute of hosting on BB is that we can see the number of times the malware has been downloaded by victims. In this case 23,330 downloads since Friday. Not a bad haul.
RandyAug 26, 2024

If you can, you should consider blocking Bitbucket. #ClickFix is not the only threat that likes to host malware on it.

compromised site
->
bsc-dataseed1.binance[.]org (Binance 0xa6165Aa33ac710AD5dCd4F4d6379466825476FDE)
->
ajsdiaolke[.]shop/endpoint
->
bitbucket[.]org/napoleon_bonaparte/updater/downloads/BrowserUpdateTool.exe

fff7637514c6238443100fbc4d1fef626cebf043eef1aefa3a0f5ab6d0103bf6 BrowserUpdateTool.exe

https://tria.ge/240826-qje5wsvhnh

 fff7637514c6238443100fbc4d1fef626cebf043eef1aefa3a0f5ab6d0103bf6 | Triage

Check this report malware sample fff7637514c6238443100fbc4d1fef626cebf043eef1aefa3a0f5ab6d0103bf6, with a score of 9 out of 10.

RandyAug 8, 2024

Today's #ClickFix chain.

(compromised site)
->
sentry-cxso.onrender[.]com/v1/get-cp-token
->
sentry-cxso.onrender[.]com/v1/get-cp-code
->
sentry-cxso.onrender[.]com/v1/get-cp-content
->
www.dl.dropboxusercontent[.]com/scl/fi/fhkwtjmp64tzje8s25ipk/update-live.zip?rlkey=v0i4f6lfmex6dffq6xcz7wabu&st=j3fkareo&dl=0

0d7f8397a728874574ecd157b842c589b5b4e0f2de1c230ae34e512de181b983 update-live[.]zip
d5d24ae017321df0163eb244412056947c2e2501f5072bd236f619e9a372cac8 update[.]exe

https://tria.ge/240808-q6nqjsthpl/

 d5d24ae017321df0163eb244412056947c2e2501f5072bd236f619e9a372cac8 | Triage

Check this report malware sample d5d24ae017321df0163eb244412056947c2e2501f5072bd236f619e9a372cac8, with a score of 9 out of 10.

RandyJun 11, 2024

sigh, frustrating to watch folks google for major names instead of tacking on the .com to simply go to the site. Instead they get subjected to #malvertising that no user will be able to differentiate from legit.

For the chain I saw searching amazon, these seem worth blocking.

lunavattuone[.]com
urchin-app-2-p3hvj.ondigitalocean[.]app

#TechSupportScam #TSS