Security Magic

Updated January 8,2021 (Added additional Lure observations at bottom) This is just a short, quick update. It would appear that the initial vector has changed. CDN.shopify.com and Sites.Google.com no longer seem to be hosting these redirects/PDF files which contain redirects. However, after hunting on the icon hash in virustotal, I ran across another 100MB+ file with the PDF icon hash.  The file used a similar naming convention to other observed samples in the past, containing the following " rent-check-bounced-letter ". Doing a quick Google search for "rent-check-bounced-letter" gives me the results. The link for this is "hxxps://www.braveheartmarine[.]com/rent-check-bounced-letter". Running this in my lab, showed the same style of selecting "PDF" or "Doc" for download, which then lead to a series of redirects to the Exe file. I have not been very successful running these on App.Any.Run... Here is the following attempt. https:...

Just a quick update, I've been hunting this malware for a bit, you can see details on this malware on my previous post or the write-ups from Morphisec or Red Canary . Today, using the same methodology I typically use, I did a google hunt. (site:cdn.shopify.com "free-tempalte"). This often yields some results, it used to get more live results from (site:sites.google.com), but those seem to be dead lately. Quickly I found one called "Hole in One Certificate Template Free" hxxps://cdn[.]shopify[.]com/s/files/1/0499/5570/0887/files/hole-in-one-certificate-template-free[.]pdf?v=1602361119 I notice a lot of these, maybe all of them have the pdf?v=[0-9] pattern. This may be normal for PDFs hosted here though. I was hoping to find some new samples, many I've found lately were leading to the same EXE, incidently, the same DLL and C2. Today however, I found a new sample. It mostly runs the same, however, this time the Icon Hash is no longer mimicing ...

As I continue to hunt for various lures and redirects for the Jupyter Infostealer, outlined in my previous article , I am amazed at the vast array of searches that lead to the malware! I took a game I enjoy and decided to search for that, using known "initial" pages where the redirects have been seen. Oh.... they got Dragon Quest too! This makes me sad.... As it is, I've found several other links just like this and so far all of the ones I've found in the last couple days end up landing on the same file Hash (different name of course) as the one in my previous article . Hash: da2eb36e763ecf1a47532e9f8efeacb7 Again, also many redirects involved, mostly .tk TLDs. I suspect these large droppers are being rotated out on some schedule, monthly perhaps. So maybe I won't run into a new sample dropper and .DLL for a bit. If anyone finds anythign different, please let me know!

*Updated March 10, 2022 (Detection rules for new variant observed March 2022.) I have had the opportunity to track the .NET Backdoor, dubbed by Morphisec as Jupyter Infostealer A.K.A Solarmarker I was excited to see this writeup since this was a malware family that myself and other researchers on twitter were discussing for a couple weeks prior to the Morphisec article, before there was an attributed name to the malware. This was in October, and we were all sharing some bits of information we had on this, since that time I have also been using custom YARA signatures to perform live hunts and retro-hunts in VirusTotal to continue to keep up on this malware. Recently I had seen Red Canary wrote up about this, dubbing it Yellow Cockatoo . Again, I was very excited to see some more attention being paid to this malware, I enjoyed both the writeups. Red Canary and Morphisec provided excellent information! Since I've been tracking this for sometime, and commenting on all new sampl...