Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Jake | JCyberSec_ Profile picture
@JCyberSec_
Mar 16, 2022 15 tweets 4 min read Read on X
Scrolly
I have been able to capture #Flubots deployment code⚠️

🔍This code is used on websites when a victim attempts to download the malicious APK

Here is what I found ⤵️

1/n
The code is a single php file with 330 lines...

However after removing hundreds of new lines and padding to 'hide' the code

We are left with this...
My eyes are immediately drawn to the large data blob in the code 👀

Now the first task is to remove some of the obfuscation to understand what is happening here...
Most of the items are simply base64 encoded

Decoding this we can understand the functions which are included 🔍
Following the trail we see the data blob getting decoded:

$var1 = (gzuncompress(base64_decode('eNrtXFuP2lgSfo+0/yEPK/WsZjVrmyZpK8oDNxsbcDc2Pth+GWG7MeALT..
Performing this operation on the data blob gives us more code but sadly another large data blob is present.

So we repeat the steps to decode the data...
We can see similar variables are being used in this code 🔍

We now move our attention to the data blob...
The data is hilariously just base64 encoded...

Allowing us to use CyberChef to decode the code contained within
The PHP code is complex with a number of functions and logic statements

The IoCs extracted from the sample lead us down a rabbit hole...
One domain mentioned is hxxp://smurfetta.ru

This domain sits on 91.240.118.223 🇷🇺
We can see a call to a URL on the host

🌐/click_api/v3?

The code then builds a http query

🏗️Which features a token set to a static value of 'hmf7fdqs9vfxp8s4rwqzxbfz6c43bwgb'
We can see the code checking to make sure the accessing user has all the items set correctly otherwise the APK will not be downloaded
On the same IP as the initial code was found there is a number of flu bot campaigns running

🌐185.215.113.96🇸🇨
If you enjoyed this, follow me for more analysis of current campaigns
Back to the top...

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Jake | JCyberSec_

Jake | JCyberSec_ Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @JCyberSec_

Jake | JCyberSec_ Profile picture
Jul 19
Threat Actors using the global CrowdStrike outage to spin up new domains 🌐

👁️Keep an eye out for malware posing to 'fix' the issue
🔒Malicious phishing pages posing as a fixing site

#Phishing Image
IoCs for people to monitor:
/crowdstrikebluescreen.com
/crowdstrike0day.com
/crowdstrike-bsod.com
/crowdstrikedoomsday.com
/crowdstrikedoomsday.com
/crowdstrikefix.com
/crowdstrikedown.site
/crowdstriketoken.com
One site is a IT repair shop offering their services to help impacted companies. Image
Read 8 tweets
Jake | JCyberSec_ Profile picture
Jan 18
I got phished. Not a training phish a REAL #phishing site⚠️

I am a security expert but I still fell for it🫡

⛔️You shouldn't blame users everyone can get tricked.

Here is what happened....🧵⤵️
I was selling some items of clothes on Vinted👚

✉️I got an email from Vinted saying one of my items had been sold and to click here to process the order.

I clicked on the link without thinking and got to a page which asked for my card details💳 Image
Still no suspicion as I assumed Vinted would pay the money into this card account.💰 Image
Read 10 tweets
Jake | JCyberSec_ Profile picture
Nov 24, 2022
⚠️UK police to send 70,000 SMS after taking down ispoof

The UK’s largest fraud operation has brought down a phone number spoofing and OTP capturing site - ispoof[.]cc📱

Full Details and Analysis in Thread⤵️🧵
🕵️UK law enforcement are now preparing to send 70,000 SMS messages to potential victims of the site

ispoof allowed controlling users to intercept OTP and Telepins of victims #⃣#⃣#⃣#⃣

💯This video was uploaded to the ispoof telegram channel and is beyond amazing!!! 😂🤣😂🤣
🔗Alleged site administrator Teejay Fletcher, 35, has been arrested and charged with making or supplying articles for use in fraud and for participating in the activities of an organised crime group

📸Here is the 'original' marketing video ispoof created...
Read 17 tweets
Jake | JCyberSec_ Profile picture
Dec 1, 2021
Announcing KIT Intel 📣

🎉A Phishing Kit Intelligence Platform

“Understand the threat actors' playbook and capabilities”

#KITIntel

🧵 THREAD ⤵️
KIT Intel is a tool for phishing kit research...at scale.

📁 Upload, Analyze, Cluster, and Research phishing kits like never before.
🔎 Phishing kits are a wealth of untapped intelligence.

If you deal with phishing you need this tool in your arsenal 👈

KIT Intel gives you the ability to hunt, pivot, and discover new phishing kit activity across our full dataset.
Read 17 tweets
Jake | JCyberSec_ Profile picture
Nov 19, 2021
So you want to learn about phishing kits 🧑‍🎓

🧵 In this thread I will highlight threat hunting skills and IoCs within phishing kits to look for ⤵️

Retweets are appreciated ♻️

🔍Follow me for more #phishing intelligence @Jcybersec_
📁What is a phishing kit?

When a threat actor wants to create a phishing page they will create the page on their own machine.
Zipping it up 🤐
And then putting this zip on a website to then deploy 🌐
🥷Building threat actors create these kits and sell them to other threat actors 💰

Deploying / Controlling threat actors put the kits online and then extract the content to instantly upload a working phishing site 🦹
Read 21 tweets
Jake | JCyberSec_ Profile picture
May 29, 2020
Phishing data analysis can provide an insight into victims and discreet campaign targeting tactics.📊

The following data has been extracted from multiple campaigns from the same SMS based phishing campaign targeting UK victims.📲

<THREAD>

#phishing #security #cyber Image
There is a total of 433 victims data analyzed in the research; however, not all fields were submitted or valid so total data ranges will vary throughout. Image
Chart 1 - Age of impacted victims 🎂

The year of birth for the victims with the most impacted being aged between 21-30yrs old. Notably it is not just elderly people who get impacted by phishing which is often assumed.

The second most impacted are victims aged 31-40yrs old. Image
Read 12 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(