{"id":16217,"date":"2019-09-03T08:10:03","date_gmt":"2019-09-03T16:10:03","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2019\/09\/03\/news-9959\/"},"modified":"2019-09-03T08:10:03","modified_gmt":"2019-09-03T16:10:03","slug":"news-9959","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/09\/03\/news-9959\/","title":{"rendered":"New social engineering toolkit draws inspiration from previous web campaigns"},"content":{"rendered":"

Credit to Author: J\u00e9r\u00f4me Segura| Date: Tue, 03 Sep 2019 15:15:33 +0000<\/strong><\/p>\n

Some of the most common web threats we track have a social engineering component. Perhaps the more popular ones are those encountered via malvertising<\/a>, or hacked websites that push fraudulent updates.<\/p>\n

We recently identified a website compromise with a scheme we had not seen before; it’s part of a campaign using a social engineering<\/a> toolkit that has drawn over 100,000 visits in the past few weeks.<\/p>\n

The toolkit, which we dub Domen, is built around a detailed client-side script that acts as a framework for different fake update templates, customized for both desktop and mobile users in up to 30 languages.<\/p>\n

Loaded as an iframe from compromised websites (most of them running WordPress) and displayed over top as an additional layer, it entices victims to install so-called updates that instead download the NetSupport remote administration tool. In this blog we describe its tactics, techniques, and procedures (TTPs) that remind us of some past and current social engineering campaigns.<\/p>\n

Fake Flash Player update<\/h3>\n

The premise looks typical of many other social engineering toolkit templates we’ve come across before. Here, users are tricked into downloading and running a Flash Player update:<\/p>\n

\"\"<\/a>
Figure 1: Fake Flash Player update notification<\/figcaption><\/figure>\n

Note that the domain wheelslist[.]net belongs to a legitimate website that has been hacked and where an iframe from chrom-update[.]online is placed as a layer above the normal page:<\/p>\n

\"\"<\/a>
Figure 2: Deobfuscated code found on compromised site that loads malicious iframe<\/figcaption><\/figure>\n

Clicking the UPDATE or LATER button downloads a file called ‘download.hta’, indexed on Atlassian’s Bitbucket platform and hosted on an Amazon server (bbuseruploads.s3.amazonaws.com):<\/p>\n

\"\"<\/a>
Figure 3: Bitbucket project from user ‘Garik’<\/figcaption><\/figure>\n

Upon execution, that HTA script will run PowerShell and connect to xyxyxyxyxy[.]xyz in order to retrieve a malware payload.<\/p>\n

\"\"<\/a>
Figure 4: Malicious mshta script retrieves payload from external domain<\/figcaption><\/figure>\n

That payload is a package that contains the NetSupport RAT:<\/p>\n

\"\"<\/a>
Figure 5: Process tree showing execution flow<\/figcaption><\/figure>\n
\"\"<\/a>
Figure 6: Observed HTTP traffic confirming NetSupport RAT infection<\/figcaption><\/figure>\n

Link with “FakeUpdates” aka SocGholish <\/h3>\n

In late 2018, we documented a malicious redirection campaign that we dubbed FakeUpdates, also known as SocGholish based on a ruleset from EmergingThreats<\/a>. It leverages compromised websites and performs some of the most creative fingerprinting checks we’ve seen, before delivering its payload (NetSupport RAT).<\/p>\n

We recently noticed a tweet<\/a> that reported SocGholish via the compromised site fistfuloftalent[.]com, although the linked sandbox report<\/a> shows the same template we described earlier, which is different than the SocGholish one: <\/p>\n

\"\"<\/a>
Figure 7: New theme erroneously associated with SocGholish<\/figcaption><\/figure>\n

The reason why the sandbox is flagging SocGholish is because the compromised site contains artifacts related to it, and does, in some circumstances, actually redirect to it:<\/p>\n

\"\"<\/a>
Figure 8: SocGholish template<\/figcaption><\/figure>\n

This hacked site actually hosts two different campaigns and based on some browser and network fingerprinting, you might be served one or the other. This can be confirmed by looking at the injected code in two different pieces of JavaScript, the first one being flagged by the EmergingThreats ruleset.<\/p>\n

\"\"<\/a>
Figure 9: Comparing two campaigns by looking at the injected JavaScript<\/figcaption><\/figure>\n

Although the templates for SocGholish and the new campaign are different, they both:<\/p>\n