Brad<p>2024-12-17 (Tuesday): <a href="https://infosec.exchange/tags/SmartApeSG" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SmartApeSG</span></a> injected script leads to fake browser update page, and that page leads to a <a href="https://infosec.exchange/tags/NetSupport" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>NetSupport</span></a> <a href="https://infosec.exchange/tags/RAT" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>RAT</span></a> infection. </p><p>Just like my last post here, there are 2 injected scripts in a page from the compromised site, one using using depostsolo[.]biz and one using tactlat[.]xyz.</p><p>A <a href="https://infosec.exchange/tags/pcap" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>pcap</span></a> of the infection traffic, associated malware samples and more information is available at <a href="https://www.malware-traffic-analysis.net/2024/12/17/index.html" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">malware-traffic-analysis.net/2</span><span class="invisible">024/12/17/index.html</span></a></p><p>NetSupportRAT C2 for this campaign continues to be 194.180.191[.]64 since as early as 2024-11-22.</p><p><a href="https://infosec.exchange/tags/FakeUpdates" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>FakeUpdates</span></a> <a href="https://infosec.exchange/tags/NetSupportRAT" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>NetSupportRAT</span></a></p>
Recent searches
No recent searches
Search options
Only available when logged in.
toad.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
Mastodon server operated by David Troy, a tech pioneer and investigative journalist addressing threats to democracy. Thoughtful participation and discussion welcome.
Administered by:
Server stats:
335active users
toad.social: About · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.3.7
#fakeupdates
0 posts · 0 participants · 0 posts today
Jérôme Segura<p>There's a new player in the 'fake updates' arena. Thanks to <span class="h-card" translate="no"><a href="https://infosec.exchange/@rmceoin" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>rmceoin</span></a></span> for initially posting about it here.</p><p>Blog link: <a href="https://www.malwarebytes.com/blog/threat-intelligence/2023/07/socgholish-copycat-delivers-netsupport-rat" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">malwarebytes.com/blog/threat-i</span><span class="invisible">ntelligence/2023/07/socgholish-copycat-delivers-netsupport-rat</span></a></p><p><a href="https://infosec.exchange/tags/FakeUpdates" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>FakeUpdates</span></a> <a href="https://infosec.exchange/tags/FakeSG" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>FakeSG</span></a> <a href="https://infosec.exchange/tags/SocGholish" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SocGholish</span></a></p>
mithrandir<p>I've published the second in a series of blog posts on SocGholish related activity. The latest installment focuses on breaking down the fake update payload itself.</p><p><a href="https://rerednawyerg.github.io/malware-analysis/socgholish_part2/" rel="nofollow noopener noreferrer" target="_blank"><span class="invisible">https://</span><span class="ellipsis">rerednawyerg.github.io/malware</span><span class="invisible">-analysis/socgholish_part2/</span></a></p><p><a href="https://defcon.social/tags/socgholish" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>socgholish</span></a> <a href="https://defcon.social/tags/malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>malware</span></a> <a href="https://defcon.social/tags/intel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>intel</span></a> <a href="https://defcon.social/tags/fakeupdates" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>fakeupdates</span></a></p>
Taggart: ~# :idle:<p>On today's <a href="https://fosstodon.org/tags/TTILive" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>TTILive</span></a>, we're back at it with some more <a href="https://fosstodon.org/tags/Malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Malware</span></a> Analysis! I have a fresh <a href="https://fosstodon.org/tags/FakeUpdates" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>FakeUpdates</span></a>/#SocGholish sample to pick apart. Join the investigation live at 17:00 PST/ 01:00 UTC! <a href="https://twitch.tv/mttaggart" rel="nofollow noopener noreferrer" target="_blank"><span class="invisible">https://</span><span class="">twitch.tv/mttaggart</span><span class="invisible"></span></a></p><p><a href="https://fosstodon.org/tags/InfoSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>InfoSec</span></a> <a href="https://fosstodon.org/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CyberSecurity</span></a></p>
Taggart: ~# :idle:<p>The fruit of today's labors: <a href="https://otx.alienvault.com/pulse/63b4bfa2cb30ff4a9b202bbe" rel="nofollow noopener noreferrer" target="_blank"><span class="invisible">https://</span><span class="ellipsis">otx.alienvault.com/pulse/63b4b</span><span class="invisible">fa2cb30ff4a9b202bbe</span></a></p><p><a href="https://fosstodon.org/tags/FakeUpdates" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>FakeUpdates</span></a> <a href="https://fosstodon.org/tags/ThreatIntel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ThreatIntel</span></a> <a href="https://fosstodon.org/tags/InfoSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>InfoSec</span></a> <a href="https://fosstodon.org/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CyberSecurity</span></a></p>
ExploreLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
Create accountLoginDrag & drop to upload