abuse.ch :verified: · @abuse_ch
1232 followers · 54 posts · Server ioc.exchange
#NetSupport RAT dropped by #GCleaner Pay-Per-Install (PPI) campaign π₯
Payload URLs:
π https://urlhaus.abuse.ch/url/2693412/
π https://urlhaus.abuse.ch/url/2693420/
Botnet C2 domains:
π https://threatfox.abuse.ch/ioc/1143951/
π https://threatfox.abuse.ch/ioc/1143952/
Botnet C2 server hosted Vultr πΊπΈ:
π€ https://threatfox.abuse.ch/ioc/1143953/
mithrandir · @mithrandir
79 followers · 189 posts · Server defcon.socialCompleted Part 3 of my personal #SocGholish series.
The article digs into the follow-up payloads delivered once the Update.js is executed on a victim machine.
Interestingly, I saw #NetSupport RAT and an unknown (to me) PowerShell C2 beacon be delivered together.
If anyone can shed more light on what the PowerShell may be, it would be much appreciated!
Big thanks to @rmceoin for help along the way.
https://rerednawyerg.github.io/posts/malwareanalysis/socgholish_part3
mithrandir · @mithrandir
75 followers · 180 posts · Server defcon.social
#SocGholish leads to #NetSupport RAT downloaded from --> http://wudugf[.]top/f23.svg
Credit to @rmceoin for the help getting the C2 to respond.
C2: *.nodes.gammalambdalambda.org
abuse.ch :verified: · @abuse_ch
564 followers · 35 posts · Server ioc.exchangeNetSupport RAT spreading through malspam π§π
JS > PS > ZIP > EXE
Payload delivery:
π https://urlhaus.abuse.ch/host/eylulsifalitas.com/
Malicious JavaScript:
βοΈ https://bazaar.abuse.ch/sample/37da443aedd8525bf4d6c48f12b43d5fd237d86dcaedc85e89afbb0c7b17c535/
PowerShell script:
π https://bazaar.abuse.ch/sample/b0471a55b4f76bdac67acf88eaaed2335198732afbbb5e37adec4c4346cc1edf/
Dropped ZIP file:
ποΈ https://bazaar.abuse.ch/sample/26cad4ec29bc07d7b2c32c94dbbef397391babf1c78cc533950b325aaf11bba8/
#NetSupport botnet C2:
balbalz1 .com:5222 (79.137.207.54 - AEZA GROUP π·πΊ)