home.social

#fakesg — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #fakesg, aggregated by home.social.

  1. Today's #FakeSG

    5.181.159[.]48/Downloads/freorra.zip
    johnmmartin[.]com/wp-content/uploads/2024/t/ForgotME.zip
    johnmmartin[.]com/wp-content/uploads/2024/t/digitaks.exe

    1cdbdf9476b04724e12564394094ffa0f74e5345b2fd4d26a78749c408d34f8e freorra.zip
    ab6492900c66882416208e9554d85504ad7f7fe6e9674945887bc6ac47ebfdbd freorra.hta
    3b289328b73d86fba97c7f533303be66d17576366c9f7ab462b16c6cb085e490 ForgotME.zip
    49a568f8ac11173e3a0d76cff6bc1d4b9bdf2c35c6d8570177422f142dcfdbe3 digitaks.exe

    NetSupport
    GatewayAddress 5.181.159[.]27:443
    serial_no NSM165348

    tria.ge/240125-q8tdtahgdm/beha

  2. New #FakeSG

    5[.]181.159.48/Downloads/updmgpower[.]zip
    -->
    vass[.]us/wp-content/uploads/2024/01/FaultDamage.zip

    0e465179f23f38136ff272da903c53f5d748384294c196d86cd920650ef536f1 updmgpower.zip
    336fa8e1a946463a4b0adc0641116922fb99652796095d55c0bf51fb8bbbcc35 FaultDamage.zip

    NetSupport
    GatewayAddress 5[.]181.159.27:443
    serial_no NSM165348
  3. #FakeSG seems a bit quiet lately so digging around I stumbled into yet another site with multiple fakeupdates. At this site the #ParrotTDS is still operational and sent the potential user to #SocGholish

    Does make you wonder if it's all the same actor just trying out very different approaches? They got a new employee who was tasked with trying something different.

    ¯_(ツ)_/¯

  4. These #FakeSG folks are on a roll. They scored Live Nation.

  5. The #FakeSG folks changed out their infection chain. It used to be URL > LNK > HTA > ZIP. Now it's ZIP > MSI. Oh, and a new NetSupport gateway.

    Compromised site
    -->
    google-analytiks[.]com/sBY76j (Keitaro)
    -->
    sterlingfundinginc[.]com/wp-content/uploads/2023/03/en-local(downloader-upd)silent.zip
    -->
    sterlingfundinginc[.]com/wp-content/uploads/2022/03/en-win-update.msi
    -->
    NetSupport GatewayAddress 94[.]156.6.111:443

    tria.ge/230810-tkwqtaeg82/beha

  6. #FakeSG appears to have a new Keitaro hostname. They must like the letter K. Their last one was google-analytiks.

    gstatick[.]com
    178.159.37[.]73

    It's SSL cert started yesterday and it does respond as a Keitaro. I just don't know a URL for it yet to get it to respond with the bad stuff.

  7. @monitorsg Sweet! The new #FakeSG monitoring is working well. Besides the posting here, artifacts are sent to MalwareBazaar.

    bazaar.abuse.ch/browse/tag/Fak

  8. #FakeSG / #RogueRaticate leading to #netsupportrat

    ebodyfit[.]com/wp-content/uploads/ultimatemember/58/downloading-(114.0.522735.199%20(Official%20Build).url

    ebodyfit[.]com/wp-content/uploads/ultimatemember/57/consciousnessx.hta

    ebodyfit[.]com/wp-content/uploads/ultimatemember/56/housealba.zip

    ebodyfit[.]com/wp-content/uploads/ultimatemember/56/clients32.exe

    #threatintel #IOCs

  9. I can never tell, is a TA's infrastructure simply broken or am I not coming at it the right way. Anyway, #FakeSG was broken for me since Saturday. Now it works again with some changes. Same pattern, just swapped out two of the middle steps.

    Infection chain
    compromised site
    -->
    google-analytiks[.]com/sBY76j (Keitaro)
    -->
    www[.]barclayledsolutions[.]com/wp-content/uploads/2023/05/brwsr-chr(localupd-version105.215.414).url
    -->
    hXXp://94[.]156.6.203/Downloads/local-EN-version105[.]lnk
    -->
    www[.]barclayledsolutions[.]com/wp-content/uploads/2023/04/junker.hta
    -->
    hXXps://94[.]158.244.41:443 (NetSupport)

    tria.ge/230801-2a2s3sbe87/beha

  10. @defender @jeromesegura @terribleplan Possibly. The #SocGholish TA still first lands a JS that collects info about the victim. Up until July 17th I saw them switching to PS after that JS collection. But I haven't seen them do anything more than collect the info. Looks like this.

    (Compromised site)
    -->
    greedyfines[.]org/GRzk7JSP (Keitaro)
    -->
    sandwiches.tropipackfood[.]com/I9tOCVj5LWBH+XQ7FehiK1H5dCtHvjhxUqlsdA== (SocGholish TDS)
    -->
    lmd.plan.gemmadeealexander[.]com/editContent (SocGholish JS C2)

    Going direct to the PS hop still works for me. For example just now it does this chain.

    hXXp://asfgze[.]fun/f23.svg
    -->
    hXXp://kedkejehiciellf[.]top/1.php (DGA)
    -->
    hXXp://kedkejehiciellf[.]top/2.php (DGA)
    -->
    hXXps://dprn0jmb1nag5t9[.]top:14235 (PowerShell C2)

    The #FakeSG TA doesn't do JS or PS. They simply land NetSupport. The chain from a few minutes ago.

    (Compromised site)
    -->
    google-analytiks[.]com/sBY76j (Keitaro)
    -->
    alexiakombou[.]com/wp-content/uploads/2022/01/downloader(updchr(V104.215.214)silent.url ()
    -->
    hXXp://185[.]252.179.64@80/Downloads/silentupdater-chr(v105).lnk ()
    -->
    alexiakombou[.]com/wp-content/uploads/2021/12/EN-localer.hta (HTA)
    -->
    hxxps://94[.]158.244.41:443 (NetSupport)

    I'm wondering if the SocGholish TA is on vacation. They usually rotate parts of the chain at least once a week and I haven't seen a change since July 20th. That and the JS to PS hasn't worked since July 17th, at least not for me.

  11. The #FakeSG Keitaro stopped handing out .url URLs for about 11 hours, but they're back. And, w00t!, my script is able to flesh out the full infection chain on it's own. Below is just a copy/paste from it's output. So I can tell you they fixed it around 13:00:00 UTC. They only swapped out the compromised WP site, which seems to be the main piece they like to swap out.

    Infection chain
    compromised site
    -->
    google-analytiks[.]com/sBY76j (Keitaro)
    -->
    alexiakombou[.]com/wp-content/uploads/2022/01/downloader(updchr(V104.215.214)silent[.]url
    -->
    hXXp://185[.]252.179.64:80/Downloads/silentupdater-chr(v105).lnk
    -->
    alexiakombou[.]com/wp-content/uploads/2021/12/EN-localer[.]hta
    -->
    94[.]158.244.41:443 (NetSupport)

    tria.ge/230728-ztplrahf53/beha

  12. Hmm, what is this? Noticed another #KeitaroTDS that appears to be using the same template at #FakeSG

    advertising-cdn[.]com/Y34dw7

    Also of note is this victim site is a .gov. I tend to think of those as generally safe. I suppose this is an example of even .gov sites are not impervious.

    The path that got me to this originally came from another domain name on the same host.

    new-adversting[.]com/P6g7Hh

    Both have been out there since last year.

  13. Hmm, what is this? Noticed another #KeitaroTDS that appears to be using the same template at #FakeSG

    advertising-cdn[.]com/Y34dw7

    Also of note is this victim site is a .gov. I tend to think of those as generally safe. I suppose this is an example of even .gov sites are not impervious.

    The path that got me to this originally came from another domain name on the same host.

    new-adversting[.]com/P6g7Hh

    Both have been out there since last year.

  14. Hmm, what is this? Noticed another #KeitaroTDS that appears to be using the same template at #FakeSG

    advertising-cdn[.]com/Y34dw7

    Also of note is this victim site is a .gov. I tend to think of those as generally safe. I suppose this is an example of even .gov sites are not impervious.

    The path that got me to this originally came from another domain name on the same host.

    new-adversting[.]com/P6g7Hh

    Both have been out there since last year.

  15. Hmm, what is this? Noticed another #KeitaroTDS that appears to be using the same template at #FakeSG

    advertising-cdn[.]com/Y34dw7

    Also of note is this victim site is a .gov. I tend to think of those as generally safe. I suppose this is an example of even .gov sites are not impervious.

    The path that got me to this originally came from another domain name on the same host.

    new-adversting[.]com/P6g7Hh

    Both have been out there since last year.

  16. Hmm, what is this? Noticed another #KeitaroTDS that appears to be using the same template at #FakeSG

    advertising-cdn[.]com/Y34dw7

    Also of note is this victim site is a .gov. I tend to think of those as generally safe. I suppose this is an example of even .gov sites are not impervious.

    The path that got me to this originally came from another domain name on the same host.

    new-adversting[.]com/P6g7Hh

    Both have been out there since last year.

  17. Welp, I guess they are gonna keep swapping out pieces each day.

    Infection chain
    compromised site
    -->
    google-analytiks[.]com/sBY76j
    -->
    tre100[.]in/wp-content/uploads/2021/10/Install Updater (V105.215.8411-downloader-silent).url
    -->
    hXXp://185[.]252.179.64:80/Downloads/local-downloadersilent-install(v105).lnk
    -->
    tre100[.]in/wp-content/uploads/2021/09/local-EN.hta
    -->
    NetSupport GatewayAddress 94[.]158.244.41:443

    228ab3e4b67fe1e661d90f3755e62ff66a9267765f11e1f63bb084f05c6a582b local-EN[.]hta

    tre100[.]in/wp-content/uploads/2021/07/LocationTrack.zip
    tre100[.]in/wp-content/uploads/2021/07/client32.exe

    tria.ge/230726-ppm71sbc69/beha

    #FakeSG

  18. Settle down folks. They updated the URL/LNK/HTA, but at least the gateway is the same.

    Infection chain
    compromised site
    google-analytiks[.]com/sBY76j
    -->
    www[.]eastcoastmotorhomes.co[.]uk/wp-content/uploads/2021/01/Install Updater (downloadingV104.215.S5)(silent).url
    -->
    hXXp://185[.]252.179.64:80/Downloads/downloading-reinstalling-stable(silent).lnk
    -->
    www[.]eastcoastmotorhomes.co[.]uk/wp-content/uploads/2020/11/downloadingupd.hta
    -->
    NetSupport GatewayAddress 94[.]158.244.41:443

    e64fb3d5024306678f9f85e1c009b4a285eb1a9ef6c81d2e4a1d3eca7740d841 downloadingupd[.]hta

    www[.]eastcoastmotorhomes.co[.]uk/wp-content/uploads/2020/10/SuitableDrive.zip
    www[.]eastcoastmotorhomes.co[.]uk/wp-content/uploads/2020/10/client32.exe

    tria.ge/230725-xp2dmsfd32/beha

    #FakeSG

  19. They updated the LNK to point to a different HTA which in turn grabs a different NetSupport INI to point at a new gateway. Curious how frequently this group rotates the chain.

    Infection chain
    compromised site
    google-analytiks[.]com/sBY76j
    -->
    hXXps://esteticalocarno[.]com/wp-content/uploads/2023/02/Install%20Updater%20(V105.215.8412_silent).url
    -->
    hXXp://185[.]252.179.64:80/Downloads/shdeulerinstall[.]lnk
    -->
    hXXps://www[.]esteticalocarno[.]com/wp-content/uploads/2018/5/XVXCSASD.hta
    -->
    NetSupport GatewayAddress 94[.]158.244.41:443

    0e74d799e5486979f7cafb3c6bbd8fab224f882b82197eb8975818bd61cbb667 XVXCSASD[.]hta

    #FakeSG #RogueRaticate

  20. #FakeSG is back online. URL > LNK > HTA > NetSupport.

    Infection chain
    compromised site
    -->
    google-analytiks[.]com/sBY76j
    -->
    esteticalocarno[.]com/wp-content/uploads/2023/02/Install%20Updater%20(V105.215.8412_silent).url
    -->
    hXXp://185[.]252.179.64:80/Downloads/shdeulerinstall[.]lnk
    -->
    www[.]esteticalocarno[.]com/wp-content/uploads/2018/04/HHYGASDBBBX.hta
    -->
    NetSupport GatewayAddress conluase62[.]com:5051

    tria.ge/230724-qarsbsde69/beha

    #RogueRaticate