The Email Fraud Survival Guide

TA569: SocGholish and Beyond

Share with your network!

Key Takeaways

  • TA569 leverages many types of injections, traffic distribution systems (TDS), and payloads including, but not limited to, SocGholish.
  • In addition to serving as an initial access broker, these additional injects imply TA569 may be running a pay-per-install (PPI) service
  • TA569 may remove injections from compromised websites only to later re-add them to the same websites.
  • There are multiple opportunities for defense against TA569: educating users about the activity, using Proofpoint’s Emerging Threats ruleset to block the payload domains, and blocking .js files from executing in anything but a text editor.

Overview

TA569 is a prolific threat actor primarily known for its deployment of website injections leading to a JavaScript payload known as SocGholish. In the past few months Proofpoint researchers have observed changes in the tactics, techniques, and procedures (TTPs) employed by TA569. Changes include an increase in the quantity of injection varieties, as well as payloads deviating from the standard SocGholish “Fake Update” JavaScript packages. Such changes, and the frequency of said changes, are likely in response to two things: efficacy data collected during the attack chain and profitability.

In our last report, we described the SocGholish threat and how it is delivered via email. 

That is, the URLs that lead to the threat are typically legitimate and being distributed via benign automated emails and lead to otherwise "friendly" websites (those that were not designed with malicious intent). The emails can be newsletters or from aggregate services like Google Alerts or a URL that was sent from one user to another.

TA569 is considered by Proofpoint to be an initial access broker (IAB), or an independent cybercriminal actor who infiltrates major targets and then sells access to other groups to deliver follow-on payloads such as ransomware. In addition to being an IAB, TA569 is thought to leverage their extensive network of injections and infrastructure to offer a pay-per-install (PPI) service to other threat actors. This PPI service solicits payloads from customers and facilitates serving the downloads and infecting victims.

In this report, Proofpoint researchers describe the injections used by TA569 to distribute various payloads, as well as what an end-user will see when visiting a compromised website.

Campaign Details

The infection chain begins when a user visits a website compromised by a TA569 injection. This could be through clicking on a link delivered via email or visiting a website directly. The victim’s browser interprets the injected JavaScript and if the environment meets certain criteria, a lure will be presented. The most common lure – used to deliver SocGholish malware – is a fake browser update that presents itself in full-screen format as if it were from the injected site itself. Proofpoint has observed other lures used by TA569 to deliver other malware payloads including: distributed denial of service (DDoS) protection, fake security software updates, captcha puzzles, and other “update” related themes. These lures are used to deliver various malware payloads including information stealers or remote access trojans (RATs)

When the lure is clicked, a file is downloaded containing the malware payload. The filetype depends on the payload and includes .js, .zip, or .iso files among others. A user must execute the file for the malware to run on the host. These various RATs and information stealers, like SocGholish, can set the stage for follow-on malware infections, including ransomware.

Injections

What is an Injection?

An injection is a section of HTML, PHP, or JavaScript code that is placed onto a website by a threat actor to cause a victim’s browser to render content, request assets from a local or remote resource, or redirect to another location. These injections of code are placed in a variety of locations including: otherwise benign compromised websites, compromised third-party assets used to render websites, and attacker controlled infrastructure. Proofpoint does not have evidence supporting the initial access vector which occurs outside of mailflow. 

Injection Deployment

Various implementations of injections have been observed but these implementations can be broadly categorized into three distinct categories that describe their flow.

The first category, referred to as Local (non-proxied), indicates that the entire injection is present on the page the victim is visiting and is executed on page load without dependency on any additional assets.

SocGholish

Figure 1: An example of an attack chain illustrating a local injection type resulting in SocGholish

The second category, referred to as Local Proxied, involves the storage of the injection in a local asset, such as a JavaScript library. When the browser is rendering the requested page, the local asset is called and the injection is executed. Injections have frequently been observed prepended to commonly used libraries like jQuery.

SocGholish

Figure 2: An example of an attack chain illustrating a local proxied injection type resulting in SocGholish

The third category, referred to as Remote Proxied, involves the fragmentation of the injection code over two or more domains. This method is achieved through an asynchronous request to a separate domain that contains the complete injection. The use of multiple domains makes this method more challenging for security measures to detect.

SocGholish

Figure 3: An example of an attack chain illustrating a remote proxied injection type resulting in SocGholish

Strobing

TA569 has been frequently documented as reinfecting websites that have undergone remediation for malicious injections. It is hypothesized that TA569 may use a technique referred to as "strobing" by Proofpoint researchers. Strobing involves the cyclical removal and readdition of injections to previously compromised websites, with the duration of removal ranging from hours to days and potentially repeating multiple times per day or over longer periods.

The underlying reason for this behavior remains uncertain, but it could be attributed to the workflow involved in the addition of new or differing injections to meet customer agreements or campaign goals, or to generate the illusion of a "clean" website and the possibility of false positive condemnations. This also presents challenges for incident response efforts, as the malicious injections may not be visible at all times.

Strobing

Figure 4: Injection Strobing on a single host 

Injection Varieties

The threat actor TA569 has been observed to employ various injection methods for the deployment of its payloads. These injections can be classified into two main categories, with occasional exceptions. The first category encompasses injections that result in the delivery of SocGholish payloads. The second category includes injections that lead to the deployment of payloads other than SocGholish, referred to as Scriptzzbn injections. It should be noted that Scriptzzbn injections have also been used for the delivery of SocGholish injections, which in turn lead to SocGholish payloads.

SocGholish Injection

SocGholish type injections exhibit a higher degree of selective criteria compared to other payload injections. The delivery of the lure to the end-user is contingent upon the victim's environment meeting specific requirements. For instance, if the host is not running on Windows, has already been served a lure (according to IP and other cookies), or if the user's browser contains a cookie indicating a Wordpress administrator login, the lure for the SocGholish "Fake Update" payload will not be delivered, terminating the attack. This filtering is achieved through the utilization of a Traffic Directing Service (TDS) to guarantee that the payloads are delivered to suitable environments.

The injections employed by TA569 are routed through a diverse range of Traffic Distribution Services (TDS), also known as Traffic Directing System/Service. A TDS is a technology stack that enables its operators to develop complex and dynamic flows of web traffic, with both legitimate and malicious uses. TA569 leverages the capabilities of TDS platforms to direct victims through attacker-controlled infrastructure. TDS platforms are commercially available, open source, pirated, or privately developed, each offering unique features. TA569 has been observed using multiple TDS platforms.

The use of TDS platforms by TA569 helps to further obscure their injections and provide versatility in the payloads delivered. The malicious JavaScript injections serve as the entry point for the TDS. The TDS provides multiple functions in the attack chain, including defense against researchers and bots. The geographic filtering based on IP, a blocklist of known bot IPs, and a ledger of served payloads make it challenging to identify payloads for analysis and to reproduce infection chains for incident response teams. The TDS not only provides defense but also gathers valuable information about the performance of injections, victim identification, and payload deployment efficacy. Due to the inherent nature of TDS platforms and their designed purpose, Proofpoint researchers hypothesize this information, combined with variations in payloads and download efficacy data, informs campaign design with the aim of maximizing infection and profitability.

SocGholish Injection Varieties

SocGholish injections have leveraged a variety of obfuscation routines in an effort to thwart detection and complicate analysis. Such varieties include single or double base64 encoding portions of the injection, reversing strings, padding strings with extra characters resulting in a need to skip every other character to derive the true value, as well as several different versions employing line breaks and variations in the size of variables. These coupled with the options afforded by injection deployment categories create a formidable battery of possible combinations.

On 26 November 2022, Proofpoint researchers identified a new type of inject and follow-up chain of requests not previously used by TA569. This chain led to the expected fake browser update and JavaScript executable that requires a greater degree of scrutiny to confirm statically. The inject used a simple async script with a base64 encoded Uniform Resource Identifier (URI) to make a request to the actor-controlled stage 2 shadowed domain. 

SocGholish

Figure 5: An example of the SocGholish injection format as of November 2022.

SocGholish

Figure 6: An example of the SocGholish”mod2” injection. 

SocGholish Payload

In our previous report we discussed SocGholish and what an end-user can expect when encountering a “Fake Update” payload. The SocGholish payload is either a .js file or a .zip file containing the JavaScript file. A user must open these files manually for the payload to detonate.

SocGholish payloads are dynamically generated with data points about the victim being an input. This dynamic generation essentially locks each payload to each victim causing the payload to be rendered useless if it is moved to a different environment for analysis. Additionally, each payload is keyed to a specifically prefixed subdomain for command and control (C2) communication. Attempting to interact with a previously observed C2 domain with a known prefix will result in a closed connection. 

The first step of a SocGholish payload will reach out to the C2 server for further instructions. If a payload "passes” the initial challenges, it will get a response from the C2 server with instructions to “fingerprint” the host it is running on and relay that information back. Depending on the host information, the C2 server will send another response to drop a RAT, execute additional host analysis to later drop an intrusion framework, or terminate the running process.

SocGholish

Figure 7: The SocGholish Payload 

Sczriptzzbn Injection

The name “Sczriptzzbn” is taken from a string present in the inject. The Sczriptzzbn injection is crude in comparison to the SocGholish injection. It is used for deploying various types of commodity malware, including remote access Trojans (RATs) and information stealers. The lures employed by this technique are of are not as polished as those used by SocGholish and are generally less professional in appearance. The lures are diverse in subject matter, ranging from fake DDoS protection captchas, captchas that cannot be solved, to simple browser update pop-ups. The management of campaigns and the evaluation of efficacy in the Sczriptzzbn injection technique is facilitated by a TDS namely zTDS, but only a few of the defensive measures present in the platform have been incorporated.

SocGholish

Figure 8: A fake Cloudflare (distributed denial of service) DDOS protection popup distributed by a Sczriptzzbn inject.

SocGholish

Figure 9: A notably lower quality variant of the “fake update” lure leading to NetSupport RAT distributed by the Sczriptzzbn inject. 

SocGholish

Figure 10: A portion of the captcha lure distributed by the Scriptbzzbn inject.

SocGholish

Figure 11: Example of a TA569 telephone-oriented attack delivery (TOAD)-based fake security alert.

Sczriptzzbn Payloads

TA569 has been observed engaging in the deployment of various forms of malware, including information stealers and RATs. This behavior is believed to be facilitated by TA569's Pay-Per-Install (PPI) business model. The commodity RATs and stealers that have been observed to be deployed by TA569 include, but are not limited to, NetSupport RAT, Redline Stealer, SolarMarker, and IcedID. Furthermore, it has been documented that TA569 delivers telephone-oriented attack delivery (TOAD) lures that are disguised as security alerts. The format of the delivered payloads can vary, with some being served as compressed executables and others being served as executables within an .iso file. The naming of these files often reflects a common theme of "update."

Since 26 November 2022, Sczriptzzbn injects have not delivered commodity malware as a first-stage payload, and all injections now deliver a subsequent SocGholish injection ultimately leading to delivery of the SocGholish payload.

Mistakes, Co-deployment, and Attribution 

In August 2022, Proofpoint observed that TA569 began deploying the NetSupport RAT as the initial payload through the Sczriptzzbn injection method. The hosting infrastructure of the injection leading to the NetSupport RAT payload was also noted to have simultaneously served SocGholish injections during this period.

This convergence of infrastructure created suspicion that the SocGholish and Sczriptzzbn clusters may both be attributed to TA569. Ultimately the shift from the delivery of commodity malware through Sczriptzzbn injections to the delivery of SocGholish as of November 2022 solidified this attribution.

With regards to motivation, Proofpoint researchers hypothesize that the use of Sczriptzzbn and its associated payloads may be a strategic move by TA569 to expand their business offerings and establish themselves not only as an Initial Access Broker (IAB) but also as a player in the Pay-Per-Install (PPI) market.

SocGholish

Figure 12: A diagram showing the two distinct business lines of TA569 and their applicable injects and payloads.

SocGholish

Figure 13: On 09 August 2022, TA569 accidentally injected all their SocGholish injects and a new NetSupport RAT Sczriptzzbn inject on the same domain. 

Prevention Opportunities

The Proofpoint Emerging Threats team has developed effective prevention strategies for TA569 and SocGholish infections. The team publishes domain rules for actor-controlled domains, which can be used through Snort and Suricata or as standalone downloads for usage in other tools. By monitoring and blocking these domains, organizations can prevent the download of malware payloads and thus disrupt the attack before it reaches end users.

An effective preventive measure against a SocGholish infection is the monitoring of .js files that are either downloaded or unzipped. Additionally, blocking .js files from executing in anything but a text editor will prevent the malicious files from executing once they have been downloaded. Implementing these simple yet powerful steps can help organizations protect themselves from the harmful consequences of a SocGholish attack.

Conclusion 

To protect against TA569 and its related malware, defenders should remain vigilant in their evaluation of alerts, even in the face of what may appear to be false positives. This high-volume threat has the potential to infect a vast number of websites, including those belonging to high-traffic media outlets and other reputable, trusted sources.

It is crucial that organizations educate their end users about the tricks and lures used by this actor, and to maintain a critical eye in the face of any suspicious activity.

Appendix 

SocGholish

Figure 14: SocGholish Overview 

SocGholish

Figure 15: SocGholish Stage_1: TDS

SocGholish

Figure 16: SocGholish Stage_1: Initial Domain 

SocGholish

Figure 17: SocGholish Stage_1 Injection 

SocGholish

Figure 18: SocGholish Stage_2: Payload Host

SocGholish

Figure 19: SocGholish Stage_3: Payload Execution and C2 

SocGholish

Figure 20: SocGholish Stage_4: Follow On

Indicators of Compromise 

SocGholish:

Static Stage 1:

soendorg[.]top

hxxps[://]jquery0[.]com/JkrJYcvQ

Stage 2 (Shadowed Domains):

Domains:

accounts.mynewtopboyfriend[.]store

active.aasm[.]pro

actors.jcracing[.]com

amplifier.myjesusloves[.]me

auction.wonderwomanquilts[.]com

automatic.tworiversboats[.]com

baget.godmessaged[.]me

basket.stylingtomorrow[.]com 

brooklands.harteverything[.]com

business.mygshplus[.]com

canonical.fmunews[.]com

cardo.diem-co[.]com 

casting.austinonline[.]shop

casting.faeryfox[.]com

center.blueoctopuspress[.]com

chess.north-atlantic[.]com

chicago.beboldskin[.]com

cigars.pawscolours[.]com

clean.godmessagedme[.]com

click.clickanalytics208[.]com

cloud.bncfministries[.]org

collapse.tradingiswar.com

common.dotviolationsremoval[.]com

community.backpacktrader[.]com

community.wbaperformance[.]com

connect.codigodebarra[.]co

consultant.meredithklemmblog[.]com

contractor.thecaninescholar[.]com

course.netpickstrading[.]com

cruize.updogtechnologies[.]com

custom.usmuchmedia[.]com

d2j09jsarr75l2.cloudfront[.]net

dashboard.skybacherslocker.com

design.lawrencetravelco[.]com 

deposit.coveprice[.]com

diamond.speaktomyheart[.]org

ecar.allsunstates[.]com

episode.foxscales[.]com

exclusive.milonopensky[.]store

extcourse.zurvio[.]com

expense.brick-house[.]net

expert.stmhonline[.]net 

factors.djbel.com

family.1ablecommunity[.]com

festival.robingaster[.]com 

fittingroom.gibbsjewelry[.]com

football.4tosocial[.]com

fundraising.mystylingmylife.xyz

furniture.nothingordinarydesign[.]com

genesis.ibgenesis[.]org

gohnson.advanceditsolutionsaz[.]com 

governing.beautynic[.]com

group5.corralphacap[.]com

hair.2topost[.]com

hares.lacyberlab[.]net

havana.littlehavanacigarstore[.]com

hemi.mamasbakery[.]net

hook.adieh[.]com

hope.point521[.]com

hunter.libertylawaz[.]com

internship.ojul[.]com

kinematics.starmidwest[.]com 

library.covebooks[.]com

loans.mistakenumberone[.]com

logistics.socialtrendsmanagement[.]com

mafia.carverdesigngroup[.]com 

mask.covidturf[.]com

master.ilsrecruitment[.]com

memorial.4tosocialprofessional[.]com 

mini.ptipexcel.com

minion.maxxcorp[.]net

modernism.designpaw[.]com 

montage.travelguidediva.commycontrol.alohaalsomeansgoodbye[.]com

myfood.silverspringfoodproject[.]org

natural.cpawalmyrivera[.]com 

navyseal.bezmail[.]com

nivea.dreamworkscdc[.]com

notes.fumcpittsburg[.]org

notify.aproposaussies[.]com

office.cdsigner[.]com

paggy.parmsplace[.]com

passphrase.singinganewsong[.]com

pastor.cntcog[.]org

people.fl2wealth[.]com

people.zonashoppers[.]com

performer.stmhonline[.]com

perspective.abcbarbecue[.]xyz

perspective.cdsignner[.]com

podcasts.momsgrabcoffee[.]com

portfolio.rainbowgraffixx[.]com

predator.foxscalesjewelry[.]com

premiere.4tosocialbeginners[.]com 

progress.cashdigger[.]com

prompt.zonashoppers[.]academy

puzzle.tricityintranet[.]com

query.dec[.]works

record.usautosaleslv[.]com

repair.annetamkin[.]com

repo.allgoodsnservices[.]com

republic.beboldskincare[.]com

requests.pleaseactivate[.]me

resale.adkelly[.]com

resort.reliablecommunityservices[.]com

restructuring.breatheinnew[.]life

rituals.fashionediter[.]com

rocket2.new10k[.]com

sdk.expresswayautopr[.]com

second.pmservicespr[.]com

secretary.rentamimi[.]com

shipwrecks.ggentile[.]com

shock.creatingaharmoniouslife[.]net

smiles.cahl4u[.]org

sodality.mandmsolicitors[.]com

sonic.myr2b[.]me

squad.incumetrics[.]com

standart.sdtranspo[.]com

stanley.planilla2021[.]com

stuff.bonneltravel[.]com

subscribe.3gbling[.]com

taxes.rpacx[.]com

telemetry.usacyberpages[.]net

tickets.kairosadvantage[.]com

track.amishbrand[.]com

training.c1ypsilanti[.]org

training.ren-kathybermejo[.]com 

travel.dianatokaji[.]com

tutorials.girandolashutkindconstruction[.]com

vacation.thebrightgift[.]com

vacation.thebrightgift1[.]com

wallpapers.uniquechoice-co[.]com

west.bykikarose[.]com

wiki.clotheslane[.]com

zoom.themyr2bpodcast[.]com

IPs:

45.10.42[.]26

45.10.43[.]78

91.208.197[.]151

91.208.197[.]229

91.219.238[.]223

141.94.63[.]231

141.136.35[.]148

153.92.223[.]141

159.69.101[.]84

167.235.236[.]131

176.124.215[.]97

179.43.133[.]40

179.43.141[.]196

179.43.190[.]22

185.185.87[.]126

190.211.254[.]41

195.123.246[.]184

198.199.100[.]215

217.25.95[.]182

URIs:

/report?r=dj01MDY1NDg3MTIwZTU2ZmQ1ZTZlNCZjaWQ9MjY0

/report?r=dj03MDgyZTc5ZmNhN2EwY2M2YjA3NCZjaWQ9MjYz

/report?r=dj03ZDdlM2JjMjNlY2E3Mzc0OTQxYSZjaWQ9MjUw

/report?r=dj04YTFlYmI3OWRiZjZlN2VmNzgwYiZjaWQ9MjU1

/report?r=dj0wMGJmNTEzY2M0YTJiODAwY2EzZSZjaWQ9Mjcw

/report?r=dj0wOTlkY2ViYTJhMmVkMzgyZWMxZCZjaWQ9MjYw

/report?r=dj0xYTAyMDFiNTJkN2NhOTk5NzE1MyZjaWQ9MjY4

/report?r=dj0zYzEzNGU0YTk2MGU4YmMwZWRlZiZjaWQ9MjYx

/report?r=dj1iNjI0OWFiNTViODVhMDIxZmRjZCZjaWQ9MjYy

/report?r=dj1iZjczNzgxMjU1N2YxNjgzMDI2MyZjaWQ9MjY5

/report?r=dj1kMTRmZWQyZjUzNDc3N2JmMjIxYiZjaWQ9MjUx

/s_code.js?cid=230&v=56b0c8d8337c9f44fda2

/s_code.js?cid=240&v=73a55f6de3dee2a751c3

/s_code.js?cid=247&v=b83d055c53edad92676e

/s_code.js?cid=251&v=d14fed2f534777bf221b

C2:

Domains:

*.activation.thepowerofhiswhisper[.]com

*.asset.tradingvein[.]xyz

*.betting.cockroachracing[.]site

*.campaign.tworiversboat[.]com

*.demand.sageyogatherapies[.]com

*.diary.lojjh[.]com

*.discover.jsfconnections[.]com

*.fate.truelance[.]com skybacherslocker

*.fluctuations.trendylevels[.]com

*.fork.topgeargroup[.]shop

*.houses.in-vermont[.]com

*.internal.blessedfoodshalalmeat[.]com

*.jobs.registermegod[.]online

*.market.dentureforfree[.]online

*.moments.abledity[.]com

*.offerings.love4lifewellness[.]com

*.portraits.studio-94-photography[.]com

*.rate.coinangel[.]online

*.rendezvous.tophandsome[.]gay

*.roles.thepowerofgodswhisper[.]com

*.samples.muzikcitysound[.]com

*.school.cherry-street-portrait-studios[.]com

*.signing.unitynotarypublic[.]com

*.state.thegshrevolution[.]com

*.telegram.godsmightywhispers[.]com

*.templates.victoryoverdieting[.]com

IPs:

45.9.190[.]217

77.91.127[.]52

82.180.154[.]113

84.32.188[.]27

159.69.101[.]84

185.185.87[.]19

185.185.87[.]24

188.138.69[.]102

195.133.88[.]19

URIs:

/updateResource

/settingsCheck

/ajaxTimeout

/notifyCustomer

/subscribeEvent

/shareView

TA569:

Domains:

adogeevent[.]com

best.theascent-group[.]com

ergpractice[.]com

gloogletag[.]com

friscomusicgroup[.]com

luxurycompare[.]com

luxury-limousine[.]com

pastukhova[.]com

shortsaledamagereports[.]com

skambio-porte[.]com

trailerstrade[.]com

yaritsavodka[.]com

IPs:

5.42.199[.]146

91.228.56[.]183

91.213.50[.]65

193.149.176[.]135

URIs:

/browser-js

/id

/irs

/js1

/tagged/ajax.js

URLs:

https://gitlab.com/Binayak7/golden

https://gitlab.com/GabrieleWlosinski32/new-good/

https://gitlab.com/jojojacob/good/

File Hashes:

NetSupport .exe

8f3bb770ad8cafcabe4eba9f67ba79f353ddee4caf30532e724bdeb15489df64

bad534540ed575c213bd34fe1f21c6ffca58169e9c9c83669749c3f6e398ea4b

23b14288d49610a8eef61977b7fc49a963f1261fe29b1668b4443a04eaf493cb

3d0bc49f6a4dc55286119be8ec8e24fd1a18f8e817fc4c7809ec018112349699

202853bdbebfce4d5c86493abd168d25f5557be039af8fce58eeda47250083ce

a848e30ce1de8bb52766938f09c90a5c192096820e0890c787b7a352c59ec95b

e05d89f9ab911a5dc7c18f1bae0f7030a2f1f158987551755c43638b917d9808

 681ac78369f4d3688f67c3a363337e3eb855db248e92cff8a35e8abe6028ade5

0d357a2440537e073c4eeb16a7d109d5eb367557674e8d16615fdb06fb9a2089

e5d2e65fdcbf20894fbc525fdc15157c16ee8f936d433e27c9266764a40d7a85

NetSupport .iso

c1dadb7ed2a9ba97bd440dcfc18519da5887f473d9f635a0975d742fa3f80ee6

76b3d17196dd9e99eadd46e8bc760ec8809a0c723f66fb687ab8576dd1299e34

31d7d798d1cde0d978be8aece150160aa2e4da4ce9e5e85972dc2e15e8c8d03b

09d3a3eab810cd5dc37641f4f74b6de7f634589d68f6a990b8f5296e4e48501d

388bbd8b592cebe4a0a32351969fe2e19e454af24ff6683524c71f74e0320ac0

efb0bb2fa8929e4889eb982d7351e844af05b7efd0d0b721a2911d89f0a66eea

3dd172bf8a7e2985f8387ffc4b6f2fc3ee05435b69a43d714d3137d9a5147127

36dbd2428d6ee76af1e5a4719058c28637963241579dd5aba716d79d26bd0543 

7a1fd70d092ebad80ba298e80147eddcd115194848591c2c23ded266a4881b6e

d0449da712948e6cac7a9b9c35a184b80d7127b9be2ac9b24e2fa3e7d4510e53

9322965adfa126aa09811ed703da19f588688a65a29bc8cf31612c7b2217fd47

23bea4bb6c911fa0d655a4fc2f13d237b19a2dc165b79e00f98919fd1a21b04f

83cea606cc5d6c671b6b100b6dc3b93786a103b1faf106ce21b4ace02a8369fc

e06a55623a52e7c8b0b3b46301a23ef00fb31e98a7d2b9eb5ab3ae513a199646

NetSupport C2s:

neashell1[.]com:3026

neashell2[.]com:3026

shetrn1[.]com:5511

shetrn2[.]com:5511

 she32rn1[.]com:5511

she32rn2[.]com:5511

SolarMarker

18aeff0a97dfd33b6f0664f43ecafd18511af559002072f680a4e5929a9c7e4f

a82a9e1f6667350808a19219d586d10bcea85cf73b67024d8c58366981fe4993

bb71d77ff7c7be3dc6957b08e57323092a43735df818b3150c41b8230c4d9be1

Redline Stealer

52b43d0f11bca924e2ef8d7863309c337910f6a542bf990446b8cd3f87b0800e

e47a70734571d7c3f11375e6b41dfad08c9a0b712612c4b55b20f8e85551ceb9

13d576dde555a93f8e5ec567e61a44cae663c83b9878bbed7f1e37ee47fb9ee8

Unknown

cbcf193959725222c09482cd5ff685b63c0a6b564e6e07fa7f605bc3bcc2ba6e

References

  1. “sczriptzzbn inject pushes malware for NetSupport RAT” https://isc.sans.edu/diary/sczriptzzbn%20inject%20pushes%20malware%20for%20NetSupport%20RAT/29170 -Brad Duncan (@malware_traffic on twitter)
  2. “Fake DDoS Pages On WordPress Sites Lead to Drive-By-Downloads” https://blog.sucuri.net/2022/08/fake-ddos-pages-on-wordpress-lead-to-drive-by-downloads.html - Ben Martin
  3. “To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions” https://www.mandiant.com/resources/blog/unc2165-shifts-to-evade-sanctions - Mandiant Intelligence
  4. “WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group” https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/ -Stefano Antenucci