{ "type": "URL", "indicator": "https://GITLAB.COM/GABRIELEWLOSINSKI32/NEW-GOOD/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://GITLAB.COM/GABRIELEWLOSINSKI32/NEW-GOOD/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3649963802, "indicator": "https://GITLAB.COM/GABRIELEWLOSINSKI32/NEW-GOOD/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 1, "pulses": [ { "id": "641dca4956bddac52c6b9fe8", "name": "Phishing Lures Used To Drop Malware", "description": "An attack campaign used various injections and traffic distribution systems (TDS) to drop commodity malware including RedLine Stealer, SocGholish, NetSupport, and SolarMarker. Compromised websites and phishing emails with malicious links were used as the initial infection vectors. Various themes were used to convince users to visit the sites including fake browser, security software, and DDoS protection updates and unsolvable captcha puzzles. The Trellix Threat Intelligence Group (TIG) gathers and analyzes information from multiple open and closed sources before disseminating intelligence reports.", "modified": "2023-04-23T16:04:24.392000", "created": "2023-03-24T16:05:29.119000", "tags": [ "https", "netsupport", "socgholish", "bec", "javascript", "redline", "ta569", "strong", "proofpoint", "sczriptzzbn", "netsupport rat", "beyond", "english", "learn", "rats", "local", "solarmarker", "august", "protect", "small", "tools", "february", "service", "redline stealer", "icedid", "stealer", "unknown", "hades", "back", "lockbit", "sanctions", "wastedlocker", "demo" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/ta569-socgholish-and-beyond" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "JavaScript", "display_name": "JavaScript", "target": null }, { "id": "BEC", "display_name": "BEC", "target": null }, { "id": "SocGholish", "display_name": "SocGholish", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BITSecurity", "id": "103352", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_103352/resized/80/avatar_1540652530.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 31, "FileHash-SHA1": 30, "FileHash-SHA256": 31, "URL": 11, "domain": 19, "hostname": 159 }, "indicator_count": 281, "is_author": false, "is_subscribing": null, "subscriber_count": 247, "modified_text": "1135 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/ta569-socgholish-and-beyond" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Javascript", "Bec", "Socgholish", "Netsupport", "Redline" ], "industries": [], "unique_indicators": 312 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/GITLAB.COM", "whois": "http://whois.domaintools.com/GITLAB.COM", "domain": "GITLAB.COM", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 1, "pulses": [ { "id": "641dca4956bddac52c6b9fe8", "name": "Phishing Lures Used To Drop Malware", "description": "An attack campaign used various injections and traffic distribution systems (TDS) to drop commodity malware including RedLine Stealer, SocGholish, NetSupport, and SolarMarker. Compromised websites and phishing emails with malicious links were used as the initial infection vectors. Various themes were used to convince users to visit the sites including fake browser, security software, and DDoS protection updates and unsolvable captcha puzzles. The Trellix Threat Intelligence Group (TIG) gathers and analyzes information from multiple open and closed sources before disseminating intelligence reports.", "modified": "2023-04-23T16:04:24.392000", "created": "2023-03-24T16:05:29.119000", "tags": [ "https", "netsupport", "socgholish", "bec", "javascript", "redline", "ta569", "strong", "proofpoint", "sczriptzzbn", "netsupport rat", "beyond", "english", "learn", "rats", "local", "solarmarker", "august", "protect", "small", "tools", "february", "service", "redline stealer", "icedid", "stealer", "unknown", "hades", "back", "lockbit", "sanctions", "wastedlocker", "demo" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/ta569-socgholish-and-beyond" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "JavaScript", "display_name": "JavaScript", "target": null }, { "id": "BEC", "display_name": "BEC", "target": null }, { "id": "SocGholish", "display_name": "SocGholish", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BITSecurity", "id": "103352", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_103352/resized/80/avatar_1540652530.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 31, "FileHash-SHA1": 30, "FileHash-SHA256": 31, "URL": 11, "domain": 19, "hostname": 159 }, "indicator_count": 281, "is_author": false, "is_subscribing": null, "subscriber_count": 247, "modified_text": "1135 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://GITLAB.COM/GABRIELEWLOSINSKI32/NEW-GOOD/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://GITLAB.COM/GABRIELEWLOSINSKI32/NEW-GOOD/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780338028.9278026 }