#fakesg — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #fakesg, aggregated by home.social.
-
Today's #FakeSG
5.181.159[.]48/Downloads/freorra.zip
johnmmartin[.]com/wp-content/uploads/2024/t/ForgotME.zip
johnmmartin[.]com/wp-content/uploads/2024/t/digitaks.exe
1cdbdf9476b04724e12564394094ffa0f74e5345b2fd4d26a78749c408d34f8e freorra.zip
ab6492900c66882416208e9554d85504ad7f7fe6e9674945887bc6ac47ebfdbd freorra.hta
3b289328b73d86fba97c7f533303be66d17576366c9f7ab462b16c6cb085e490 ForgotME.zip
49a568f8ac11173e3a0d76cff6bc1d4b9bdf2c35c6d8570177422f142dcfdbe3 digitaks.exe
NetSupport
GatewayAddress 5.181.159[.]27:443
serial_no NSM165348 -
New #FakeSG
5[.]181.159.48/Downloads/updmgpower[.]zip
-->
vass[.]us/wp-content/uploads/2024/01/FaultDamage.zip
0e465179f23f38136ff272da903c53f5d748384294c196d86cd920650ef536f1 updmgpower.zip
336fa8e1a946463a4b0adc0641116922fb99652796095d55c0bf51fb8bbbcc35 FaultDamage.zip
NetSupport
GatewayAddress 5[.]181.159.27:443
serial_no NSM165348 -
#FakeSG seems a bit quiet lately so digging around I stumbled into yet another site with multiple fakeupdates. At this site the #ParrotTDS is still operational and sent the potential user to #SocGholish
Does make you wonder if it's all the same actor just trying out very different approaches? They got a new employee who was tasked with trying something different.
¯_(ツ)_/¯
-
I made this page to track current fake browser updates campaigns:
-
-
-
The #FakeSG folks changed out their infection chain. It used to be URL > LNK > HTA > ZIP. Now it's ZIP > MSI. Oh, and a new NetSupport gateway.
Compromised site
-->
google-analytiks[.]com/sBY76j (Keitaro)
-->
sterlingfundinginc[.]com/wp-content/uploads/2023/03/en-local(downloader-upd)silent.zip
-->
sterlingfundinginc[.]com/wp-content/uploads/2022/03/en-win-update.msi
-->
NetSupport GatewayAddress 94[.]156.6.111:443 -
#FakeSG appears to have a new Keitaro hostname. They must like the letter K. Their last one was google-analytiks.
gstatick[.]com
178.159.37[.]73It's SSL cert started yesterday and it does respond as a Keitaro. I just don't know a URL for it yet to get it to respond with the bad stuff.
-
@monitorsg Sweet! The new #FakeSG monitoring is working well. Besides the posting here, artifacts are sent to MalwareBazaar.
-
#FakeSG / #RogueRaticate leading to #netsupportrat
ebodyfit[.]com/wp-content/uploads/ultimatemember/58/downloading-(114.0.522735.199%20(Official%20Build).url
ebodyfit[.]com/wp-content/uploads/ultimatemember/57/consciousnessx.hta
ebodyfit[.]com/wp-content/uploads/ultimatemember/56/housealba.zip
ebodyfit[.]com/wp-content/uploads/ultimatemember/56/clients32.exe
-
I can never tell, is a TA's infrastructure simply broken or am I not coming at it the right way. Anyway, #FakeSG was broken for me since Saturday. Now it works again with some changes. Same pattern, just swapped out two of the middle steps.
Infection chain
compromised site
-->
google-analytiks[.]com/sBY76j (Keitaro)
-->
www[.]barclayledsolutions[.]com/wp-content/uploads/2023/05/brwsr-chr(localupd-version105.215.414).url
-->
hXXp://94[.]156.6.203/Downloads/local-EN-version105[.]lnk
-->
www[.]barclayledsolutions[.]com/wp-content/uploads/2023/04/junker.hta
-->
hXXps://94[.]158.244.41:443 (NetSupport) -
@defender @jeromesegura @terribleplan Possibly. The #SocGholish TA still first lands a JS that collects info about the victim. Up until July 17th I saw them switching to PS after that JS collection. But I haven't seen them do anything more than collect the info. Looks like this.
(Compromised site)
-->
greedyfines[.]org/GRzk7JSP (Keitaro)
-->
sandwiches.tropipackfood[.]com/I9tOCVj5LWBH+XQ7FehiK1H5dCtHvjhxUqlsdA== (SocGholish TDS)
-->
lmd.plan.gemmadeealexander[.]com/editContent (SocGholish JS C2)Going direct to the PS hop still works for me. For example just now it does this chain.
hXXp://asfgze[.]fun/f23.svg
-->
hXXp://kedkejehiciellf[.]top/1.php (DGA)
-->
hXXp://kedkejehiciellf[.]top/2.php (DGA)
-->
hXXps://dprn0jmb1nag5t9[.]top:14235 (PowerShell C2)The #FakeSG TA doesn't do JS or PS. They simply land NetSupport. The chain from a few minutes ago.
(Compromised site)
-->
google-analytiks[.]com/sBY76j (Keitaro)
-->
alexiakombou[.]com/wp-content/uploads/2022/01/downloader(updchr(V104.215.214)silent.url ()
-->
hXXp://185[.]252.179.64@80/Downloads/silentupdater-chr(v105).lnk ()
-->
alexiakombou[.]com/wp-content/uploads/2021/12/EN-localer.hta (HTA)
-->
hxxps://94[.]158.244.41:443 (NetSupport)I'm wondering if the SocGholish TA is on vacation. They usually rotate parts of the chain at least once a week and I haven't seen a change since July 20th. That and the JS to PS hasn't worked since July 17th, at least not for me.
-
The #FakeSG Keitaro stopped handing out .url URLs for about 11 hours, but they're back. And, w00t!, my script is able to flesh out the full infection chain on it's own. Below is just a copy/paste from it's output. So I can tell you they fixed it around 13:00:00 UTC. They only swapped out the compromised WP site, which seems to be the main piece they like to swap out.
Infection chain
compromised site
-->
google-analytiks[.]com/sBY76j (Keitaro)
-->
alexiakombou[.]com/wp-content/uploads/2022/01/downloader(updchr(V104.215.214)silent[.]url
-->
hXXp://185[.]252.179.64:80/Downloads/silentupdater-chr(v105).lnk
-->
alexiakombou[.]com/wp-content/uploads/2021/12/EN-localer[.]hta
-->
94[.]158.244.41:443 (NetSupport) -
Hmm, what is this? Noticed another #KeitaroTDS that appears to be using the same template at #FakeSG
advertising-cdn[.]com/Y34dw7
Also of note is this victim site is a .gov. I tend to think of those as generally safe. I suppose this is an example of even .gov sites are not impervious.
The path that got me to this originally came from another domain name on the same host.
new-adversting[.]com/P6g7Hh
Both have been out there since last year.
-
Hmm, what is this? Noticed another #KeitaroTDS that appears to be using the same template at #FakeSG
advertising-cdn[.]com/Y34dw7
Also of note is this victim site is a .gov. I tend to think of those as generally safe. I suppose this is an example of even .gov sites are not impervious.
The path that got me to this originally came from another domain name on the same host.
new-adversting[.]com/P6g7Hh
Both have been out there since last year.
-
Hmm, what is this? Noticed another #KeitaroTDS that appears to be using the same template at #FakeSG
advertising-cdn[.]com/Y34dw7
Also of note is this victim site is a .gov. I tend to think of those as generally safe. I suppose this is an example of even .gov sites are not impervious.
The path that got me to this originally came from another domain name on the same host.
new-adversting[.]com/P6g7Hh
Both have been out there since last year.
-
Hmm, what is this? Noticed another #KeitaroTDS that appears to be using the same template at #FakeSG
advertising-cdn[.]com/Y34dw7
Also of note is this victim site is a .gov. I tend to think of those as generally safe. I suppose this is an example of even .gov sites are not impervious.
The path that got me to this originally came from another domain name on the same host.
new-adversting[.]com/P6g7Hh
Both have been out there since last year.
-
Hmm, what is this? Noticed another #KeitaroTDS that appears to be using the same template at #FakeSG
advertising-cdn[.]com/Y34dw7
Also of note is this victim site is a .gov. I tend to think of those as generally safe. I suppose this is an example of even .gov sites are not impervious.
The path that got me to this originally came from another domain name on the same host.
new-adversting[.]com/P6g7Hh
Both have been out there since last year.
-
Welp, I guess they are gonna keep swapping out pieces each day.
Infection chain
compromised site
-->
google-analytiks[.]com/sBY76j
-->
tre100[.]in/wp-content/uploads/2021/10/Install Updater (V105.215.8411-downloader-silent).url
-->
hXXp://185[.]252.179.64:80/Downloads/local-downloadersilent-install(v105).lnk
-->
tre100[.]in/wp-content/uploads/2021/09/local-EN.hta
-->
NetSupport GatewayAddress 94[.]158.244.41:443228ab3e4b67fe1e661d90f3755e62ff66a9267765f11e1f63bb084f05c6a582b local-EN[.]hta
tre100[.]in/wp-content/uploads/2021/07/LocationTrack.zip
tre100[.]in/wp-content/uploads/2021/07/client32.exe -
Settle down folks. They updated the URL/LNK/HTA, but at least the gateway is the same.
Infection chain
compromised site
google-analytiks[.]com/sBY76j
-->
www[.]eastcoastmotorhomes.co[.]uk/wp-content/uploads/2021/01/Install Updater (downloadingV104.215.S5)(silent).url
-->
hXXp://185[.]252.179.64:80/Downloads/downloading-reinstalling-stable(silent).lnk
-->
www[.]eastcoastmotorhomes.co[.]uk/wp-content/uploads/2020/11/downloadingupd.hta
-->
NetSupport GatewayAddress 94[.]158.244.41:443e64fb3d5024306678f9f85e1c009b4a285eb1a9ef6c81d2e4a1d3eca7740d841 downloadingupd[.]hta
www[.]eastcoastmotorhomes.co[.]uk/wp-content/uploads/2020/10/SuitableDrive.zip
www[.]eastcoastmotorhomes.co[.]uk/wp-content/uploads/2020/10/client32.exe -
They updated the LNK to point to a different HTA which in turn grabs a different NetSupport INI to point at a new gateway. Curious how frequently this group rotates the chain.
Infection chain
compromised site
google-analytiks[.]com/sBY76j
-->
hXXps://esteticalocarno[.]com/wp-content/uploads/2023/02/Install%20Updater%20(V105.215.8412_silent).url
-->
hXXp://185[.]252.179.64:80/Downloads/shdeulerinstall[.]lnk
-->
hXXps://www[.]esteticalocarno[.]com/wp-content/uploads/2018/5/XVXCSASD.hta
-->
NetSupport GatewayAddress 94[.]158.244.41:4430e74d799e5486979f7cafb3c6bbd8fab224f882b82197eb8975818bd61cbb667 XVXCSASD[.]hta
-
#FakeSG is back online. URL > LNK > HTA > NetSupport.
Infection chain
compromised site
-->
google-analytiks[.]com/sBY76j
-->
esteticalocarno[.]com/wp-content/uploads/2023/02/Install%20Updater%20(V105.215.8412_silent).url
-->
hXXp://185[.]252.179.64:80/Downloads/shdeulerinstall[.]lnk
-->
www[.]esteticalocarno[.]com/wp-content/uploads/2018/04/HHYGASDBBBX.hta
-->
NetSupport GatewayAddress conluase62[.]com:5051 -
There's a new player in the 'fake updates' arena. Thanks to @rmceoin for initially posting about it here.