Discover and read the best of Twitter Threads about #SocGholish
Most recents (4)
1/ Part of the script used by #TA569 (Initial Access Broker) to inject the Keitaro TDS code into compromised sites 🚩
In this variant, if the IP is correct and the red_ok cookie is not declared, the injection is shown and the infection flow continues until #SocGholish or others.
In this variant, if the IP is correct and the red_ok cookie is not declared, the injection is shown and the infection flow continues until #SocGholish or others.
2/ Two #KeitaroTDS domains in use by #TA569:
- jqueryns[.]com
- jqscr[.]com "new"
In the IP of the latter there is also the domain jqueryj[.]com with a panel that at first sight I cannot recognize 🧐 but is some kind of bot/stealer/clipper, very likely related. / @ViriBack
- jqueryns[.]com
- jqscr[.]com "new"
In the IP of the latter there is also the domain jqueryj[.]com with a panel that at first sight I cannot recognize 🧐 but is some kind of bot/stealer/clipper, very likely related. / @ViriBack
3/ To get an idea of the scope, if we search on publicwww for the domain "jqueryns[.]com" we get 2196 infected sites, for the domain "jqscr[.]com" we get another 196 compromised sites so far.
- publicwww.com/websites/%22jq…
- publicwww.com/websites/%22jq…
More results in Google too 🤦♂️
- publicwww.com/websites/%22jq…
- publicwww.com/websites/%22jq…
More results in Google too 🤦♂️
Proofpoint Threat Research has observed intermittent injections on a media company that serves many major news outlets. This media company serves content via #Javascript to its partners. By modifying the codebase of this otherwise benign JS, it is now used to deploy #SocGholish.
We track this actor as #TA569. TA569 historically removed and reinstated these malicious JS injects on a rotating basis. Therefore the presence of the payload and malicious content can vary from hour to hour and shouldn't be considered a false positive.
Proofpoint observed TA569 injects within the assets of a media company used by multiple major news orgs. More than 250 regional/national newspaper sites have accessed the malicious Javascript. The actual number of impacted hosts is known only by the impacted media company.
Raspberry Robin is a malware that has been around for some time now and spreads via infected USB drives.
Here is what we have seen over the last 10 months. 🧵 1/12 #RaspberryRobin #malware
via @lazy_daemon
Here is what we have seen over the last 10 months. 🧵 1/12 #RaspberryRobin #malware
via @lazy_daemon
@sekoia_io and @redcanary have already published excellent technical analyses of this malware, so we won't go into more detail about it.
7095517.fs1.hubspotusercontent-na1.net/hubfs/7095517/…
redcanary.com/blog/raspberry…
🧵 2/12
7095517.fs1.hubspotusercontent-na1.net/hubfs/7095517/…
redcanary.com/blog/raspberry…
🧵 2/12
Since December, 2021, we've seen several cases mostly in Hungary🇭🇺 and Germany🇩🇪 but also a few in Russia🇷🇺 and India🇮🇳.
The user always clicked the malicious link, so no automatic infection when the USB drive was plugged in. 🧵 3/12
The user always clicked the malicious link, so no automatic infection when the USB drive was plugged in. 🧵 3/12
Stage 1: The injected site. These are compromised sites where a JavaScript implant is present in the HTML Source of the page.
These are plentiful (more than 1000 active at any time).
They come in 2 varieties currently:
1x B64 encoded and 2x B64 encoded
These are plentiful (more than 1000 active at any time).
They come in 2 varieties currently:
1x B64 encoded and 2x B64 encoded
Stage 2: Payload Host...aka the site Stage 1 pulls the "fakeupdate" from. (/report/blah)
These are less plentiful than Stage 1. Their TTL is measured in days or weeks. There are some currently that are approaching months.
These are a more reliable IOC to block vs Stage 1.
These are less plentiful than Stage 1. Their TTL is measured in days or weeks. There are some currently that are approaching months.
These are a more reliable IOC to block vs Stage 1.
