@crep1x.bsky.social
Lead cybercrime analyst, tracking adversaries activities & infrastructure, at @sekoia.io
#TDR analysts dig into a modus operandi targeting the hospitality industry and the related cybercrime ecosystem that facilitates #phishing and #fraud campaigns.
blog.sekoia.io/phishing-cam...
π Our latest #TDR report delivers an in-depth analysis of Adversary-in-the-Middle (#AitM) #phishing threats - targeting Microsoft 365 and Google accounts - and their ecosystem.
This report shares actionable intelligence to help analysts detect and investigate AitM phishing.
As usual, we share multiple IoCs and YARA rules in our blog post and on our community GitHub: github.com/SEKOIA-IO/Co...
16.04.2025 16:12 β π 0 π 0 π¬ 0 π 0
By the way, Microsoft Threat Intelligence published an analysis yesterday on the same infection chain leveraging new PowerShell loader/backdoor (without associating it with Interlock?)
www.microsoft.com/en-us/securi...
Check out our new blog post by the TDR team, presenting the latest TTPs used by the #Interlock ransomware group!
It includes their use of the ClickFix tactic, PyInstaller, Node.js, Cloudflare Tunnels, and new PowerShell loader/backdoor β¬οΈ
bsky.app/profile/seko...
βοΈ @kseznec.bsky.social
Since the apparition of the #Interlock ransomware, the Sekoia #TDR team observed its operators evolving, improving their toolset (#LummaStealer and #BerserkStealer), and leveraging new techniques such as #ClickFix to deploy the ransomware payload.
blog.sekoia.io/interlock-ra...
Current decoy pages used since 18 March, changing every 3/4 weeks since the beginning of 2025:
urlscan.io/search/#page...
Tycoon 2FA (a prominent AitM phishing kit), targeting Microsoft and Google accounts, uses a new CAPTCHA page instead of the custom Cloudflare Turnstile page
e.g.
hxxps://ymi.bvyunz.]ru/3v4jfQ-cUo/
hxxps://xau.kolivax.]ru/ckYHFJN/
hxxps://ffqt.lzirleg.]es/VajlR/
β¬οΈ
CTI tip: monitor transactions from the Ethereum address 0x53fd54f55C93f9BCCA471cD0CcbaBC3Acbd3E4AA to identify new PowerShell commands distributed by ClearFake - and block/detect any traffic to malicious domains!
As usual, feedback is greatly appreciated!
Here is our in-depth analysis of the latest #ClearFake variant using the Binance Smart Chain and two new ClickFix lures.
ClearFake is injected into thousands of compromised sites to distribute the #Emmental Loader, #Lumma, #Rhadamanthys, and #Vidar.
β¬οΈ
bsky.app/profile/seko...
TDR analysts published an analysis of the new #ClearFake variant that relies on compromised websites injected with the malicious JavaScript framework, the #EtherHiding technique, and the #ClickFix social engineering tactic.
buff.ly/vbiVbsN
5. Further downloading and executing Rhadamanthys from:
bytes.microstorage.]shop/code.bin (virustotal.com/gui/file/a88...)
6. Communicating with C2 at:
91.240.118.]2:9769
Public analysis of the recent ClearFake variant: security.szustak.pl/etherhide/et...
3. Malicious PowerShell command is copied into the user's clipboard data to be executed in the Run dialog box
4. Downloading Emmenhtal from:
bytes.microstorage.]shop (1st stage)
w66.discoverconicalcrouton.]shop (2nd stage)
β¬οΈ
#ClearFake variant is now spreading #Rhadamanthys Stealer via #Emmenhtal Loader.
cc @plebourhis.bsky.social @sekoia.io
1. ClearFake framework is injected on compromised WordPress and relies on EtherHiding
2. The #ClickFix lure uses a fake Cloudflare Turnstile with unusual web traffic
β¬οΈ
This is not planned at the moment! π
24.01.2025 15:24 β π 0 π 0 π¬ 1 π 0For those who did not monitor the supply chain attack against Chrome extensions in December 2024, our article provides an overview of:
- the targeted phishing attack against extension developers
- malicious code
- the adversary's infrastructure
β¬οΈ
bsky.app/profile/seko...
TDR analysts analysed the supply chain attack targeting Chrome browser extensions, which potentially affected hundreds of thousands of end users in December 2024.
https://buff.ly/4auQ0HN
Full domain list:
gist.githubusercontent.com/qbourgue/071...
Distribution URLs:
hxxps://reddit-15.gmvr.]org/topic/inxcuh?engine=opentext+encase+forensic
hxxps://wettransfer80.tynd.]org/file/abbstd
Lumma Stealer C2:
weighcobbweo.]top
Triage analysis:
tria.ge/250120-vzdzz...
Around 1,000 malicious domains are hosting webpages impersonating Reddit and WeTransfer, redirecting users to download password-protected archives
These archives contain an AutoIT dropper, we internally named #SelfAU3 Dropper at @sekoia.io, which executes #Lumma Stealer
IoCs β¬οΈ
We confirm that the WikiKit phishing pages correspond to those of the Sneaky Log service, which we chose to name Sneaky 2FA!
16.01.2025 16:44 β π 0 π 0 π¬ 0 π 0In late December 2024, TRACLabs analysed a Sneaky 2FA phishing campaign and dubbed the kit "WikiKit".
Meanwhile, we investigated another campaign that led to the discovery of Sneaky 2FA code, as well as the Telegram bot advertising and selling it.
Our last article exposes the new AiTM phishing kit Sneaky 2FA, sold by the cybercrime service "Sneaky Log"!
We provide an in-depth analysis of the phishing pages, the associated service, detection opportunities and multiple IoCs.
β¬οΈ
bsky.app/profile/seko...
hxxps://steamcommunity.]com/profiles/76561199816275252
Some active C2s:
wltk03.]sbs
95.217.25.]164
94.130.191.]182
quils.]live
grutt.]click
116.203.13.]109
37.27.214.]36
Find more #Vidar IoCs on ThreatFox:
threatfox.abuse.ch/browse/malwa...
Recent update in #Vidar C2 servers configuration:
HTTP Location header set to "hxxps://t.]me", instead of "hxxps://google.]com"
Heuristic to track C2 IPs and domains on Censys:
search.censys.io/search?resou...
Dead Drop Resolvers (DDR) of the week:
hxxps://t.]me/no111p
β¬οΈ
π¦ The new episode of @intel471.bsky.social "Cybercrime Exposed" podcast produced by @jkirk.bsky.social tells the story of #Raccoon Stealer and, more broadly, reveals how the #infostealer ecosystem operates.
Featuring @crep1x.bsky.social from @sekoia.io!
intel471.com/resources/po...
