← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Phishing Lures Used To Drop Malware
WHITE BITSecurity 2023-03-24 Modified: 2023-04-23
281
IOCs
HIGH VOLUME
An attack campaign used various injections and traffic distribution systems (TDS) to drop commodity malware including RedLine Stealer, SocGholish, NetSupport, and SolarMarker. Compromised websites and phishing emails with malicious links were used as the initial infection vectors. Various themes were used to convince users to visit the sites including fake browser, security software, and DDoS protection updates and unsolvable captcha puzzles. The Trellix Threat Intelligence Group (TIG) gathers and analyzes information from multiple open and closed sources before disseminating intelligence reports.
httpsnetsupportsocgholishbecjavascriptredlineta569strongproofpointsczriptzzbnnetsupport ratbeyondenglishlearnratslocalsolarmarkeraugustprotectsmalltoolsfebruaryserviceredline stealericedidstealerunknownhadesbacklockbitsanctionswastedlockerdemo
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
Redline JavaScript BEC SocGholish NetSupport
Indicators of Compromise (11 / 281 total)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain hostname
TYPEINDICATORDESCRIPTIONCREATED
URL http://jquery0.com/JkrJYcvQ 2023-03-24
URL http://neashell1.com:3026 2023-03-24
URL http://neashell2.com:3026 2023-03-24
URL http://she32rn1.com:5511 2023-03-24
URL http://she32rn2.com:5511 2023-03-24
URL http://shetrn1.com:5511 2023-03-24
URL http://shetrn2.com:5511 2023-03-24
URL https://GITLAB.COM/BINAYAK7/GOLDEN 2023-03-24
URL https://GITLAB.COM/GABRIELEWLOSINSKI32/NEW-GOOD/ 2023-03-24
URL https://GITLAB.COM/JOJOJACOB/GOOD/ 2023-03-24
URL https://JQUERY0.COM/JKRJYCVQ 2023-03-24
References (1)
↗ https://www.proofpoint.com/us/blog/threat-insight/ta569-socgholish-and-beyond