ThreatCat.ch
@threatcat-ch.bsky.social
ThreatCat.ch has been founded in the autumn 2022 and consists of a bunch of experienced Cyber Threat Analysts and Incident Responders who have been working together for many years.
Let’s take transaction 0x863f7[…] at Sep-02-2024 02:34:55 PM UTC – we get the following decoded JS:
testnet.bscscan.com/tx/0x863f748...
testnet.bscscan.com/tx/0x863f748...
February 28, 2025 at 4:21 PM
Let’s take transaction 0x863f7[…] at Sep-02-2024 02:34:55 PM UTC – we get the following decoded JS:
testnet.bscscan.com/tx/0x863f748...
testnet.bscscan.com/tx/0x863f748...
Another confirmation of the malicious, Magecart related activity, can be found by analyzing other activities from the main BSC testnet contract 0x5178a932d5b312801e02c43fd50399a88028b9d0
testnet.bscscan.com/address/0x51...
testnet.bscscan.com/address/0x51...
February 28, 2025 at 4:21 PM
Another confirmation of the malicious, Magecart related activity, can be found by analyzing other activities from the main BSC testnet contract 0x5178a932d5b312801e02c43fd50399a88028b9d0
testnet.bscscan.com/address/0x51...
testnet.bscscan.com/address/0x51...
This assumption is reinforced when we get a further obfuscated payload from suckerity[.]xyz when visiting the checkout page & subsequently noticing a client to server data exfiltration after having entered credit card details (small extract of the ~200KB deobfuscated code)
February 28, 2025 at 4:21 PM
This assumption is reinforced when we get a further obfuscated payload from suckerity[.]xyz when visiting the checkout page & subsequently noticing a client to server data exfiltration after having entered credit card details (small extract of the ~200KB deobfuscated code)
The contract’s content is clearly malicious and connects over WebSocket to suckerity[.]xyz (behind Cloudflare), not related to #ClearFake, but reminds us #Magecart related injections:
February 28, 2025 at 4:21 PM
The contract’s content is clearly malicious and connects over WebSocket to suckerity[.]xyz (behind Cloudflare), not related to #ClearFake, but reminds us #Magecart related injections:
By the way, Google based malvertisement is still going strong – also delivering #Lumma / #LummaStealer currently from hXXps://sites.google[.]com/view/gglchor then chrome.downloading[.]icu
January 7, 2025 at 6:33 AM
By the way, Google based malvertisement is still going strong – also delivering #Lumma / #LummaStealer currently from hXXps://sites.google[.]com/view/gglchor then chrome.downloading[.]icu
The infection hides as a base64 encoded & obfuscated Javascript directly on the home page. It gets the overlay from a smart contract and injects it into the HTML.
January 6, 2025 at 8:51 PM
The infection hides as a base64 encoded & obfuscated Javascript directly on the home page. It gets the overlay from a smart contract and injects it into the HTML.
#ClearFake / #ClickFix is back infecting directly legit but vulnerable websites, delivering in the end #Lumma / #LummaStealer
January 6, 2025 at 8:51 PM
#ClearFake / #ClickFix is back infecting directly legit but vulnerable websites, delivering in the end #Lumma / #LummaStealer
#Lumma #Stealer #Malware spreading via malvertissment impersonating Google Chrome - check all connections to 46.202.155[.]128 (chrome.downloading.com[.]de & filenjjutre[.]online)
December 18, 2024 at 11:29 PM
#Lumma #Stealer #Malware spreading via malvertissment impersonating Google Chrome - check all connections to 46.202.155[.]128 (chrome.downloading.com[.]de & filenjjutre[.]online)
New #SocGholish domain and injections - directly as SCRIPT but without async attribute + as base64 encoded URL:
October 30, 2024 at 10:06 AM
New #SocGholish domain and injections - directly as SCRIPT but without async attribute + as base64 encoded URL:
A closer look into bitbucket.org/goo2/adss/sr... reveals domain support-wp[.]shop in the commit log
September 30, 2024 at 2:29 PM
A closer look into bitbucket.org/goo2/adss/sr... reveals domain support-wp[.]shop in the commit log
3. In Javascript files, with a reference to a github repository with a very similar code
September 30, 2024 at 2:29 PM
3. In Javascript files, with a reference to a github repository with a very similar code
2. In JavaScript files, with a reference to a bitbucket repository
September 30, 2024 at 2:29 PM
2. In JavaScript files, with a reference to a bitbucket repository
1. Directly into the page’s HTML at the top
September 30, 2024 at 2:28 PM
1. Directly into the page’s HTML at the top
You might have noticed in the previous screenshot that in parallel, the page downloaded some .zip file. This file comes from Dropbox and will be decompressed and executed by the command pasted by the victim:
September 26, 2024 at 5:39 AM
You might have noticed in the previous screenshot that in parallel, the page downloaded some .zip file. This file comes from Dropbox and will be decompressed and executed by the command pasted by the victim:
When visiting the link, the victim first has to complete a captcha before getting to the payload delivery page where the victim is asked to execute the 2 (in-) famous commands:
September 26, 2024 at 5:38 AM
When visiting the link, the victim first has to complete a captcha before getting to the payload delivery page where the victim is asked to execute the 2 (in-) famous commands:
New Swiss centered malware campaign in German using some #ClearFake / #ClickFix tricks impersonating Ricardo, one of the biggest Swiss online second-hand marketplace:
September 26, 2024 at 5:38 AM
New Swiss centered malware campaign in German using some #ClearFake / #ClickFix tricks impersonating Ricardo, one of the biggest Swiss online second-hand marketplace:
The command to be executed is a short powershell downloading a dll hidden as a jpg and executing it via rundlls32
September 24, 2024 at 3:25 AM
The command to be executed is a short powershell downloading a dll hidden as a jpg and executing it via rundlls32
Opening the attached .html file shows the social engineering lure:
September 24, 2024 at 3:25 AM
Opening the attached .html file shows the social engineering lure:
It all started with an apparently fairly standard, boring spam:
September 24, 2024 at 3:24 AM
It all started with an apparently fairly standard, boring spam:
Having a look at this repository, we see that the file was uploaded recently aside a second, even bigger file:
July 12, 2024 at 3:25 PM
Having a look at this repository, we see that the file was uploaded recently aside a second, even bigger file:
#ClearFake related contract 0xa6165aa33ac710ad5dcd4f4d6379466825476fde was updated recently and points now to daslkjfhi2[.]lol, displaying a new type of lure to visitors:
July 12, 2024 at 3:24 PM
#ClearFake related contract 0xa6165aa33ac710ad5dcd4f4d6379466825476fde was updated recently and points now to daslkjfhi2[.]lol, displaying a new type of lure to visitors:
We're proud to be a Quad9 partner, helping make the Internet a safer place!
June 19, 2024 at 8:35 AM
We're proud to be a Quad9 partner, helping make the Internet a safer place!
In addition of these domains, we have modernwebframework[.]com which serves a new Fake Browser Update layout as shown in urlscan.io/result/d1d33...
June 5, 2024 at 1:07 PM
In addition of these domains, we have modernwebframework[.]com which serves a new Fake Browser Update layout as shown in urlscan.io/result/d1d33...
Found for the first time in a while a new FakeUpdate (ndsj) #SocGholish related TDS - absolutecache[.]com hosted on 154.29.75[.]236.
February 16, 2024 at 3:32 PM
Found for the first time in a while a new FakeUpdate (ndsj) #SocGholish related TDS - absolutecache[.]com hosted on 154.29.75[.]236.
urlscan.io has tons of really cool features - search for example per page hash to find other similar SocGholish TDS! If you're lucky, you might even identify infected legit websites referencing such TDS.
December 25, 2023 at 8:43 PM
urlscan.io has tons of really cool features - search for example per page hash to find other similar SocGholish TDS! If you're lucky, you might even identify infected legit websites referencing such TDS.