Breaking

Lumma Stealer Delivered via YouTube Videos for Cheats ClickFix Baddys via RussianPanda’s Workflow Open Directory Search Leads to Aged APT-C-35 Findings Gootloader: Updated Delivery Vector! 7-Zip FakeApp Serving NetSupport Rat!

Malasada Tech

Da Samala Tech blogs on malware and stuffs

ClickFix Threat Intelligence

ClickFix Baddys via RussianPanda’s Workflow

By Aaron Samala #, #, #, #

TL;DR

This documents specific steps you can take to find ClickFix infrastructure via RussianPanda‘s workflow.

Summary Up Front

This document builds on RussianPanda’s workflow to find ClickFix infrastructure. You can repeat these steps to find the domains yourself. Find results in urlscan by running a query for the two unique hashes. Extract the results that have the redirect value. Lookup that domain in NsLookup.io and extract the CNAME value. Perform a Reverse CNAME lookup in Silent Push to extract the domains. Add those domains to the excluded task.domain list in your original query to restart the process.

Tactical Pause

THE CONTENT, VIEWS, AND OPINIONS EXPRESSED ON THIS DOCUMENT ARE MY OWN AND DO NOT REFLECT THOSE OF MY EMPLOYER OR ANY AFFILIATED ORGANIZATIONS. ALL RESEARCH, ANALYSIS, AND WRITING ARE CONDUCTED ON MY PERSONAL TIME AND USING MY OWN PERSONALLY-ACQUIRED RESOURCES. ANY REFERENCES, TOOLS, OR SOFTWARE MENTIONED HERE ARE LIKEWISE USED INDEPENDENTLY AND ARE NOT ASSOCIATED WITH, ENDORSED, OR FUNDED BY MY EMPLOYER.

Starting Source

Here’s the link and snip of the source to get you started.

https://twitter.com/RussianPanda9xx/status/1860398656651702683

Getting Started

Here’s the urlscan search and snip to review results.

https://urlscan.io/search/#betterdirectit.com

I chose this result here:

https://urlscan.io/result/fe676ce0-aa00-4fa4-88f9-6bbb048b04b3

I checked to see if the payload portion is relatively the same as the others. You can view that via the link below. The snip below shows the interesting part.

https://urlscan.io/result/fe676ce0-aa00-4fa4-88f9-6bbb048b04b3/dom

Here’s a snip of the Base64 decoded output as seen in Cyber Chef.

Making a Good Base Query

I viewed the HTTP transactions via the link below.

https://urlscan.io/result/fe676ce0-aa00-4fa4-88f9-6bbb048b04b3/#transactions

I observed an interesting combination of the requests for all.min.css and logo_48.png. Here’s a snip showing the two sections for those requests.

Here’s the urlscan query to search for results with those two hashes:

https://urlscan.io/search/#hash%3A1b9efb22c938500971aac2b2130a475fa23684dd69e43103894968df83145b8a%20AND%20hash%3Aa361e7885c36bacb3fd9cb068da207c3b9329962cac022d06e28923939f575e8

Here’s a snip of the search result, it looks promising. I set the Details to Visible so that I can show the redirect domains that we are after.

The first result that has a Redirect from value is searchmegood.com. I looked that up in NsLookup.io and observed the CNAME value. See the link and snip below.

https://www.nslookup.io/domains/searchmegood.com/dns-records

Silent Push Reverse CNAME Lookup

I performed a Reverse CNAME lookup in Silent Push to find the related domains.

Here’s a snip of the results below.

I skimmed a few of the domains in urlscan and confirmed they were used for ClickFix.

I tried a search to explore other query opportunities. The snip below shows a decent query and the results.

I confirmed via the snip below and copied the For CNAME value.

The snip below shows the Silent Push results for a reverse CNAME lookup for 4wcsu.bmtrck.com.

It’s a Continuous Loop

The goal is to find as many of the bmtrck.com CNAME for values, so that we can extract the domains. To do this, I start with a base search on the hashes. Every time I get a list of domains from a Silent Push Reverse CNAME lookup, I add them to a list of task.domain values and exclude them. The snip below shows the running query at this point. On line 907, I found streaminsplays.com is for CNAME 450p0.bmtrck.com, so I annotate it in the notes.

Here’s a snip of the query results below:

Dead Results

Sometimes if they’re already dead like this one, you’ll have to check VT.

Here’s VT with the old CNAME showing 008j1-bmtrck-com

Unfortunately, nothing shows up for it.
 

This is a reiterative process. Perform the urlscan query for the two unique hashes. Find a result that has a redirect. Lookup that domain and extract the CNAME value. Perform a reverse CNAME lookup in Silent Push. Extract the domains from the result. Add those domains to the excluded list of task.domain list in the urlquery. Repeat the process and perform the rolling query.

Other ClickFix activity

It looks like there may be multiple actors using a template for this ClickFix. Some actors don’t use bmtrck.com. newvideozones.com is an example of this. See the snips below.

Text File Payload Search

On a side note, it looks like on some copyText payloads, it requests a TXT file that matches a particular pattern. We can search for that pattern via the query below:

https://urlscan.io/search/#files.filename%3A%2F%5Ba-zA-Z%5D%7B8%7D%5C.txt%2F

I reviewed the first result here:

https://urlscan.io/result/b2328301-9ba1-4a47-89fd-6e8c2961cce7

I looked up the hash via the dropdown menu in urlscan as seen below.

The Contacted Domains looks like Lumma Stealer domains as seen here:

https://www.virustotal.com/gui/file/a15538d6c52faffea3afc0fa6a834afa1babcb281e4a48fa03b6d2ed8f1d48fb/relations

The Crowdsourced IDS rules show that it matched Proofpoint Lumma Stealer rules as seen below.

https://www.virustotal.com/gui/file/a15538d6c52faffea3afc0fa6a834afa1babcb281e4a48fa03b6d2ed8f1d48fb/detection

By searching for the copyText payloads, you can skip the redirect domains. This could be useful if you focus on the malware payloads, and not the infra domains.

Time to Conclude

While working on this, I lucked out because I got a 429 error as seen in the snip below.

I’ve mentioned in other posts that I often struggle with knowing when to end the research. When I don’t end the research in time, I take too long and start researching something else. The research then becomes stale, and it ends up as research fodder that doesn’t get shared with the world. I’ll take the 429 error as a sign that it’s time to conclude.

Summary

This document builds on RussianPanda’s workflow to find ClickFix infrastructure. You can repeat these steps to find the domains yourself. Find results in urlscan by running a query for the two unique hashes. Extract the results that have the redirect value. Lookup that domain in NsLookup.io and extract the CNAME value. Perform a Reverse CNAME lookup in Silent Push to extract the domains. Add those domains to the excluded task.domain list in your original query to restart the process.

IOCs

ruvmq.bmtrck.com

008j1.bmtrck.com

450p0.bmtrck.com

euc45.bmtrck.com

tcszz.bmtrck.com

tlbvx.bmtrck.com

5hldy.bmtrck.com

proceedtonext.com

downloadstep.com

downloadsbeta.com

betterdirectit.com

continuedownloader.com

bristykalkuz.com

scrutinycheck.cash

trkallpages.com

hypochloridtilz.click

searchmegood.com

scrutinycheckout.com

onceletthemcheck.com

oceanbreezeget.com

gawanjaneto.com

checkpageonce.com

sheenglathora.com

provenhandshakecap.com

licensedgetogeth.com

clickthistogo.com

continueverif.com

hostedsteps.com

mediamanagerverif.com

themovingfoster.com

transfertonext.com

techstalone.com

helpmemoverand.com

westreamdaily.com

streamingsplays.com

streamingszone.com

addonclicks.com

yourtruelover.com

gocartfully.com

newvideozones.click

servezoff.info

myincoffer.online

mypagvistic.com

briskload.site

getcodavbiz.com

speedyrob.info

beasterz.pro

stephighs.com

mybizoffer.org

creativitybistik.com

sharefunideas.info

verticherez.com

dreaminger.pro

hivertical.pro

proexten.xyz

proidea.site

escalanados.site

tadtod.site

dpresslo.xyz

inclinerex.xyz

bringiton.pro

mestions.site

safestzone.pro

verticalzpro.xyz

stockmann.xyz

myvertical.pro

clickgravitate.com

continuefor.com

go2linktrack.com

trackblitzad.com

promojet88.com

treovax.com

campnudge.com

analytrex.com

clickcampaigner.com

countlessurl.com

trackedcurl.com

statzeon.com

trackspin32.com

spotmyaction.com

campaigntide.com

hoststotrack.com

lynciflow.com

camptracer24.com

clickwavetracker.com

sourceszone.com

clicktoreach.com

rovynex.com

clicksgauge.com

campaignpace.com

adslinker45.com

ready4track.com

pixelpathsway.com

nextinclick.com

adpathsync.com

logmypath.com

clickforprocess.com

instantclickflow.com

brimoro.com

tracksforge.com

adsvector.com

adzcurrent.com

urlstreams.com

urlignite.com

adsynergyz.com

clicksroute.com

adflowhubs.com

tracklystic.com

routedpulse.com

linksoptix.com

linksvibe.com

megarises.com

trackgamess.com

creativityboss.com

sysswap.com

kodekthungg.com

servinglane.com

bestreceived.com

torontogamings.com

smartykhan.com

justmytouch.com

syncthewebs.com

webdriveshere.com

spintore.com

taketheright.com

trakingame.com

successeditdone.com

satisfiedweb.com

moldstrap.com

latifsnaps.com

kalamouse.com

minitracked.com

cyrusdashboard.com

firstigame.com

editorcoms.com

godagichi.com

gamingzonesup.com

betterthanit.com

fineliveliness.com

managingeasily.com

oraclesystematic.com

takemetoworld.com

multitrackings.com

lighterhubs.com

gamebalri.com

greatchoicing.com

bestgetcontent.com

galaxyofapps.com

andropalaces.com

brandswebs.com

besidegamz.com

github-scanner.com

github-scanner.shop

ofsetvideofre.click

ch3.dlvideosfre.click

By Aaron Samala

Related Post

Lumma Stealer Threat Intelligence

Lumma Stealer Delivered via YouTube Videos for Cheats

Aaron Samala
Threat Intelligence

Open Directory Search Leads to Aged APT-C-35 Findings

Aaron Samala
Gootloader Gootloader Backlinks Threat Intelligence

Gootloader: Updated Delivery Vector!

Aaron Samala

Leave a Reply

Your email address will not be published. Required fields are marked *

You Missed

Lumma Stealer Threat Intelligence

Lumma Stealer Delivered via YouTube Videos for Cheats

ClickFix Threat Intelligence

ClickFix Baddys via RussianPanda’s Workflow

Threat Intelligence

Open Directory Search Leads to Aged APT-C-35 Findings

Gootloader Gootloader Backlinks Threat Intelligence

Gootloader: Updated Delivery Vector!