@sekoia.io published a nice blog post about BSC blog.sekoia.io/clearfakes-n...
@threatcat-ch.bsky.social is tracking BSC as well, and we share our gained information on Threatfox/Bazaar @abuse_ch@ioc.exchange
Most of the delivered payloads led to Rhadamantys instead of Lumma in the last few days.
This #Magecart smart contract got updated recently and is now pointing to keritysuc[.]xyz
Decoding gives us another WebSocket based communication channel: wss://cdn[.]iconstaff[.]top/common?source=
Domain iconstaff[.]top was already reported as being Magecart related in June 2024: blog.sucuri.net/2024/06/caes...
Letβs take transaction 0x863f7[β¦] at Sep-02-2024 02:34:55 PM UTC β we get the following decoded JS:
testnet.bscscan.com/tx/0x863f748...
Another confirmation of the malicious, Magecart related activity, can be found by analyzing other activities from the main BSC testnet contract 0x5178a932d5b312801e02c43fd50399a88028b9d0
testnet.bscscan.com/address/0x51...
This assumption is reinforced when we get a further obfuscated payload from suckerity[.]xyz when visiting the checkout page & subsequently noticing a client to server data exfiltration after having entered credit card details (small extract of the ~200KB deobfuscated code)
The contractβs content is clearly malicious and connects over WebSocket to suckerity[.]xyz (behind Cloudflare), not related to #ClearFake, but reminds us #Magecart related injections:
While investigating an infected website, we noticed call to BSC testnet contract 0x0967296defa0fd586c9ede5730380e2b059fab95 : testnet.bscscan.com/address/0x09...
#etherhiding (hiding malicious code in blockchain based smart contracts) is not only by #ClearFake related actors β but now also for #Magecart π
Screenshot of the "reports" section of RΓΆsti. The page displays multiple reports in a grid format, each with a card-like design. Each card includes information such as the report title, author, publication date, associated threat indicators (IOCs and YARA rules), and source organization.
A screenshot of the home page of RΓΆsti, a web application providing Repackaged Open Source Threat Intelligence. The logo "RΓSTI" is prominently displayed in blue. Below the logo, the description states that the platform gathers Indicators of Compromise (IOCs) from public reports, available in formats such as MISP, STIX, and ECS. There are two buttons: "Feeds" and "Reports." At the bottom, statistics are shown: 217,399 IOCs and 440 YARA rules extracted from 2,288 reports of 183 sources. A footer highlights "New parsers" added on January 28, 2025, listing CERT-FR and Netlab360 as new sources. A link to view the full changelog is in the bottom-right corner.
Screenshot of the "reports" section of RΓΆsti in dark mode. The page displays multiple reports in a grid format, each with a card-like design. Each card includes information such as the report title, author, publication date, associated threat indicators (IOCs and YARA rules), and source organization.
Today, I'm releasing the first version of a small web π: rosti.bin.re
It provides IOCs and YARA rules collected semi-automatically from public blog posts and reports of almost 200 cybersecurity sites.
I hope it proves useful to some of you ... πβ¨ #CyberSecurity #ThreatIntel
Nice writeup of Atea's findings regarding this: www.atea.no/siste-nytt/i...
By the way, Google based malvertisement is still going strong β also delivering #Lumma / #LummaStealer currently from hXXps://sites.google[.]com/view/gglchor then chrome.downloading[.]icu
The command it copies in the clipboard has the following string structure:
mshta [URL] # Decoy comment to look genuine to the user and hide the previous commands in the Run prompt
This command starts a long chain of Powershell commands leading finally to #LummaStealer
The infection hides as a base64 encoded & obfuscated Javascript directly on the home page. It gets the overlay from a smart contract and injects it into the HTML.
#ClearFake / #ClickFix is back infecting directly legit but vulnerable websites, delivering in the end #Lumma / #LummaStealer
#Lumma #Stealer #Malware spreading via malvertissment impersonating Google Chrome - check all connections to 46.202.155[.]128 (chrome.downloading.com[.]de & filenjjutre[.]online)
New #SocGholish domain and injections - directly as SCRIPT but without async attribute + as base64 encoded URL:
Another related github repo: github.com/AlexanderRPa... involving domain streammain[.]top hosted on 89.169.13[.]147 . All identified github repos were reported.
In other news, we contributed to Threatfox a few #Boolka domains and IPs, including new IOCs involving softbyms[.]com
threatfox.abuse.ch/browse/tag/B...
Investigating further, we find yet another github repository gavnoman/gootraf which is gone, but seems to have redirected users toward awardbonus[.]shop at 147.45.197[.]80
This domain points toward yet another github account started on July 2nd, 2024 -
github.com/lolngnos/loles . Both domains currently resolve to 77.221.155[.]81 (alias painful-underwear.aeza[.]network (!) hosted at AEZA).
A closer look into bitbucket.org/goo2/adss/sr... reveals domain support-wp[.]shop in the commit log
3. In Javascript files, with a reference to a github repository with a very similar code
2. In JavaScript files, with a reference to a bitbucket repository
1. Directly into the pageβs HTML at the top
While investigating some odd web redirects, we stumbled upon awards2tools[.]shop, which seems to systematically redirect visitors to trk.adtrk21[.]com, then into Vextrio related domains. The injection of the initial hop on awards2tools[.]shop varies β here a few examples:
The payload is very likely AsyncRAT connecting to 185.91.69[.]119:56001
www.virustotal.com/gui/file/5d5...
You might have noticed in the previous screenshot that in parallel, the page downloaded some .zip file. This file comes from Dropbox and will be decompressed and executed by the command pasted by the victim:
When visiting the link, the victim first has to complete a captcha before getting to the payload delivery page where the victim is asked to execute the 2 (in-) famous commands:
New Swiss centered malware campaign in German using some #ClearFake / #ClickFix tricks impersonating Ricardo, one of the biggest Swiss online second-hand marketplace:
