Anyone familiar with the infection chain for:
FakeCaptcha
=>
https://check.dasoc[.]icu/gkcxv.google?u=${usr_id}
I would very much appreciate a sample, IOCs, or other knowledge from this specific #FakeUpdate batch.
@threatcat_ch
Have you set up a hunting alert on URLhaus yet? With this new feature, you can get real-time notifications of key events, including:
✅ URL pattern (exact or wildcard match)
✅ Tag match (exact)
✅ Payload of a URL changes (URL ID)
✅ Signature for payload matches (exact)
URLhaus hunting alerts automatically pull your email from your https://t.co/x0TWKNn9PP profile, making setup easy! Setup your first hunting alert here 👉 https://t.co/WcVmScZ6KR
🎥 Watch it in action here (skip to 5:48 in this demo!)
👉 https://t.co/m1acqRrF7n
Unconfirmed #Trickbot:
PE32 .dll:
itelsys[.]ma/prod/education.php
PE32 .dll Sample:
https://t.co/3oENyKdORA
.xls Sample:
https://t.co/VGtHIoU52q
Looks to be the same actors with new tricks.
Share your findings.
https://t.co/oQWZP0tY6T
@JawsIntel@JAMESWT_MHT I've been tracking the botnets for a while; some other indicators I go off of are:
> XLM 4.0 macros
> Excel naming
> Excel template
> Malspam templates
> Payload naming
> .php Delivery
When I have time I'll try to get you a better answer.
Reference:
https://t.co/HQyudmCDvo
Note:
For each GET .php request a .exe is served. When this happens, the respective .exe is deleted from the web server.
That is why there are no more live payloads at this time...
Take-down example:
for n in `seq XXX`; do wget XXX.php; done
@Cryptolaemus1@lazyactivist192