We've discovered a new #Emotet malware #phishing campaign that leverages Google Sites & a previously compromised PetFoods website. We were asked to look into the following email. Thanks to the fantastic tools from @RiskIQ@PassiveTotal we finally connected the dots. #infosec
We plan to write up the details soon but here's a general overview. First looked at some of the indicators of compromise and surprisingly found that a Google search for "Mel Redins" revealed ZERO searches in Google. That's pretty hard to do these days. #infosec#osint#emotet
Same thing with searching for the email that Mel Redins provided. Also zero searches in Google and haveibeenpwned(.)com . #infosec#osint#emotet
We found evidence of other examples of the same phishing email going back at least a few weeks. We haven't fully investigated these past phishing emails but with the exception of slight variations in the text they are very similar. #infosec#osint#emotet
So how does it work? Or initial analysis tried 2 look at the click sequence & we were able 2 identify the following chain of network requests from the initial link embedded in the #phishing email. It directs unsuspecting users 2 go to what seems like a legitimate Google Sites URL
The storageonnet(.)top URL stood out in the sequence. "Top" TLDs are not very common. And this domain had been registered recently on 07-29-2020. Another red flag. We checked into the domain using @PassiveTotal from the good folks at @RiskIQ and found a number of additional clues
When we tried 2 recreate the sequence we were unable to. That happens more & more now as malware can look 4 very specific requirements to function and/or part of the network had already been dismantled. Using @PassiveTotal
we found some #Osint details to find these screenshots
From those screenshots we deduced the hackers were using Google Sites & an embedded frame using the storageonnet(.)top domain to retrieve the word document infected with #emotet from yet another URL. Using the initial Google Sites URL allowed them to bypass spam filters #infosec
From both @PassiveTotal and @HybridAnalysis we finally pieced together that final URL called that contained the #Emotet malware was from an infected Petfoods ecommerce store supposedly in India. #infosec#osint
That's enough of the basic details and it goes without saying that you should not go to any of these links without proper protection. #infosec#emotet#osint
Oh right forgot, as of a few days ago at Virustotal only Kaspersky was identifying storageonnet(.)top as potentially malicious / problematic. The petskingdom(.)in domain more surprisingly is only flagged in a couple of places. #emotet#malware#infosec#osint
Seems to be a very interesting coordinated effort that is very well funded and links to almost all of the House Democrats that have come out against Biden. Are these House Dems just really naive or are they all part of the scheme. 🔥🔥 I have a feeling this is going to blow up.
And I wasn't even talking about this .... the leaked Ted Cruz fund raisers a month or two back .... but wow why would Ted Cruz be meeting with a guy who is now helping to fund House Dem backstabbers? 🤔 You know this @RepAngieCraig
🔥🔥 Now that Sidney Powell has flipped on everyone else in the #BigLie (Michael Flynn as well possibly)… these prior details about David Hancock apparently having a phone recording between Donald Trump and Sidney Powell at Lin Wood’s Tomotley about the time General Flynn got his pardon from Trump … well 💥💥
@visionsurreal Outstanding article just out by @emptywheel that follows along this line of thinking that there may in fact be some damning evidence of a quid pro quo for the pardon Trump gave to Flynn while they were all at Lin Wood’s plantation in Georgia. emptywheel.net/2023/10/22/don…
I have become fascinated with one of the more obscure defendants that was named in the @faniforDA indictment that most prominently included Donald Trump and his efforts to reverse the Presidential outcome (his loss) in Georgia. The name is Rev. Stephen Lee and he is an ordained Missouri Synod Lutheran minister & a connection to NAR (New Apostolic Reformation). 1/9
Here is the relevant section of the @faniforDA indictmetn that discusses Rev. Stephen Lee's invovlement and the relevant charges. Basically he traveled to Georgia to help with the efforts of overturning Trump's loss there after the 2020 election. Lee was indicted for attempting to coerce election worker Ruby Freeman into falsely admitting election fraud. 2/9
First it should be noted that the doctrine of the Missouri Synod Lutheran Church (LCMS) is very very different from that of the ELCA Lutheran church with LCMS being much more conservative and rigid. Anti-LGBTQ, anti-reproductive rights, forbids women being ministers and oddly states a position against Freemasonry ect... 3/9
There is alot of talk that the new Qanon movie "Sound of Freedom" is being heavily astroturfed and this thread by @CyKoore sure seems to support that idea. Lots of talk that big blocks of tickets are being bought up by unknown dark money sources and lots of videos of empty… twitter.com/i/web/status/1…
In fact Angel Studios themselves crowd-sourced the purchase of tickets to the #SoundOfFeeedom movie that supposedly were then provided free of charge to patrons wanting to watch the movie. It would appear millions of tickets were procured in this manner both by Angel Studios and… twitter.com/i/web/status/1…
So is the supposed talk of box office success of #SoundOfFeeedom actually being astroturfed? Its difficult to empirically assess something like this but one way is to look at Google trends data and compare it to other movie openings. We found a few things of interest. One thing… https://t.co/KS6fPXmayktwitter.com/i/web/status/1…
This is looking more and more like a classic Kremlin hack and leak disinfo Op. Pretty clear with the fabricated Russian vs Ukrainian troop losses. We have found a couple pro-Kremlin accounts dispersing the documents on Twitter well before the NYTimes. Accounts involved in prior Kremlin #disinfo
Here is one pro-Kremlin troll account that has a clear past history of pushing out / boosting prior Kremlin disinformation operations. This account pushed out a portion of the leaked document hours before the New York Times article and promoted the part that was fabricated showing a significantly lower level of Russian troop losses than that of Ukrainian troop losses. Oddly levels lower than what even the Russian MoD has admitted to in the past. We redacted the sensitive parts of the screenshot of the original tweet.
Without having the original un-rendered image its difficult to assess how it might have been photoshopped / manipulated but it does appear text insertions were made in the "Total Assessed Losses" section. See image 2. Because the documents appear to have been leaked as photos of the physical copies there are bends and warpage in the final image. This was not fully taken into account in the manipulated / fabricated image.
And here is possible confirmation. Before and after ... insertions and deletions in the numbers of troop losses and equipment losses. Since this was also posted by someone else anonymously still no way to vouch for authenticity but seems to align with what others are saying in private. Still not clear how these classified documents detailing secret U.S. and NATO plans for aiding Ukraine were leaked and how much of them are even real. #NATO leaks #activemeasures #InfoOp cc @Dragnet_News
So remember a few months back when @NickKnudsenUS and I believe @visionsurreal also before that brought this to our attention .... this crazy Watchman Decree pledge / NAR adjacent video? One part of it seemed especially odd? The part that pledged "we declare we will be energy… twitter.com/i/web/status/1…
This section in particular in Emma Brown's new @washingtonpost article talking about how Ginni Brown's CRC group was only ever on one amicus brief and it was with the "American Fuel and Petrochemical Manufacturers" group. Who here would be shocked to learn that we may soon find… twitter.com/i/web/status/1…
Here is the tweet from @NickKnudsenUS again that shows the full video. Please watch it. Note the part about the "seven mountains" ... something very integral to NAR ideology. And the reference to "wokeness" is no mistake. This is "Christofascism"