Share this page!

Maybe Scrolly?
Jake | JCyberSec_ Profile picture
Twitter logo
Mar 16 15 tweets 4 min read
I have been able to capture #Flubots deployment code⚠️

🔍This code is used on websites when a victim attempts to download the malicious APK

Here is what I found ⤵️

1/n
The code is a single php file with 330 lines...

However after removing hundreds of new lines and padding to 'hide' the code

We are left with this...
My eyes are immediately drawn to the large data blob in the code 👀

Now the first task is to remove some of the obfuscation to understand what is happening here...
Most of the items are simply base64 encoded

Decoding this we can understand the functions which are included 🔍
Following the trail we see the data blob getting decoded:

$var1 = (gzuncompress(base64_decode('eNrtXFuP2lgSfo+0/yEPK/WsZjVrmyZpK8oDNxsbcDc2Pth+GWG7MeALT..
Performing this operation on the data blob gives us more code but sadly another large data blob is present.

So we repeat the steps to decode the data...
We can see similar variables are being used in this code 🔍

We now move our attention to the data blob...
The data is hilariously just base64 encoded...

Allowing us to use CyberChef to decode the code contained within
The PHP code is complex with a number of functions and logic statements

The IoCs extracted from the sample lead us down a rabbit hole...
One domain mentioned is hxxp://smurfetta.ru

This domain sits on 91.240.118.223 🇷🇺
We can see a call to a URL on the host

🌐/click_api/v3?

The code then builds a http query

🏗️Which features a token set to a static value of 'hmf7fdqs9vfxp8s4rwqzxbfz6c43bwgb'
We can see the code checking to make sure the accessing user has all the items set correctly otherwise the APK will not be downloaded
On the same IP as the initial code was found there is a number of flu bot campaigns running

🌐185.215.113.96🇸🇨
If you enjoyed this, follow me for more analysis of current campaigns
Back to the top...

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Jake | JCyberSec_

Jake | JCyberSec_ Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @JCyberSec_

Jake | JCyberSec_ Profile picture
Dec 1, 2021
Announcing KIT Intel 📣

🎉A Phishing Kit Intelligence Platform

“Understand the threat actors' playbook and capabilities”

#KITIntel

🧵 THREAD ⤵️
KIT Intel is a tool for phishing kit research...at scale.

📁 Upload, Analyze, Cluster, and Research phishing kits like never before.
🔎 Phishing kits are a wealth of untapped intelligence.

If you deal with phishing you need this tool in your arsenal 👈

KIT Intel gives you the ability to hunt, pivot, and discover new phishing kit activity across our full dataset.
Read 17 tweets
Jake | JCyberSec_ Profile picture
Nov 19, 2021
So you want to learn about phishing kits 🧑‍🎓

🧵 In this thread I will highlight threat hunting skills and IoCs within phishing kits to look for ⤵️

Retweets are appreciated ♻️

🔍Follow me for more #phishing intelligence @Jcybersec_
📁What is a phishing kit?

When a threat actor wants to create a phishing page they will create the page on their own machine.
Zipping it up 🤐
And then putting this zip on a website to then deploy 🌐
🥷Building threat actors create these kits and sell them to other threat actors 💰

Deploying / Controlling threat actors put the kits online and then extract the content to instantly upload a working phishing site 🦹
Read 21 tweets
Jake | JCyberSec_ Profile picture
May 29, 2020
Phishing data analysis can provide an insight into victims and discreet campaign targeting tactics.📊

The following data has been extracted from multiple campaigns from the same SMS based phishing campaign targeting UK victims.📲

<THREAD>

#phishing #security #cyber Image
There is a total of 433 victims data analyzed in the research; however, not all fields were submitted or valid so total data ranges will vary throughout. Image
Chart 1 - Age of impacted victims 🎂

The year of birth for the victims with the most impacted being aged between 21-30yrs old. Notably it is not just elderly people who get impacted by phishing which is often assumed.

The second most impacted are victims aged 31-40yrs old. Image
Read 12 tweets
Jake | JCyberSec_ Profile picture
Apr 30, 2020
:: 16Shop Intelligence Thread ::

#16Shop is a prolific and one of the first #Phishing-as-a-Service (PaaS) offerings.

⚠️This is an intelligence thread on notable elements of the kit, the operation, how to test and detect the scam.

#THREAD
16Shop was initially detected in the wild in late 2017 by McAfee security researchers, this kit was using an Apple theme. 🖥️

Initially access to the kit was sold on Facebook 💰
The user selling 16Shop access was part of a group who are attributed as being the creators and main operators of 16Shop know as "Indonesian Cyber Army"💀
Read 14 tweets
Jake | JCyberSec_ Profile picture
Dec 3, 2019
:: Magecart Hunting Thread ::

This is a thread about how to hunt and find #Magecart infected sites using @URLscan. 💰💵

♻️Please retweet to help spread knowledge and feel free to add your own techniques, ideas, and suggestions.

⚠️THREAD⚠️
A brief overview of Magecart.

Magecart is an umbrella term for the technique of injecting JavaScript to steal credit card numbers on E-commerce sites. A number of actors/groups operate under the same term implanting JavaScript onto checkout pages all over the world.
To get started we need a foothold.
I have a hunt running looking for a known Magecart hash.

This morning a new site hit the search, looking at the site I then used the filename as a pivot. The filename which is infected with Magecart is "jquery_noconflict.js"
Read 15 tweets
Jake | JCyberSec_ Profile picture
Jul 31, 2019
:: Phishing Admin Panel Hunting Thread ::

In this thread we will find ways to hunt and attribute phishing admin panels.

This is a continuation from my #phishing hunting thread released earlier this year. ()

Please retweet to knowledge share among others.
Firstly we need to understand what an admin panel is in relation to phishing sites. There are many phishing-as-a-service (PaaS) offerings for threat actors to buy allowing them to quickly and easily deploy kits online. They normally consists of a threat actor buying an API key.
In this thread I will show you how to fingerprint some of the major panels, if you feel I have missed any let me know as I would love to keep this thread current and up-to-date on new threats.
Read 22 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @JCyberSec_ has new unrolls!

Check out other threads from @JCyberSec_!

Read all threads by @JCyberSec_

:(