The LandUpdate808 Fake Update Variant

Intro:

There are a handful of fake update variants. The most popular is SocGholish. We’ve often observed some of the other fake update variants referred to as SocGholish, but we try to make the distinction. Some of the other variants include Clear Fake, and Smart Ape. There’s also a new variant that is being referenced as ClickFix. This collaboration between Casey Kuwada, April Bucaneg, and Aaron Samala introduces the LandUpdate808 Fake Update Variant that we’ve been tracking. The payload for this follows the pattern: “update_DD_MM_YYYY_#######”, and the extension has been observed as either a JS, EXE, or MSIX.

Why is it being tracked as LandUpdate808?

When we first started tracking it, it used the two following URIs: /p/land.php, and /wp-content/uploads/update.php in its delivery chain. We added the 808 because we’re from Hawaii, and we add our area code to just about everything to signal that it’s from Hawaii. Just the other day I was telling my mainland friend about some 808 sandwiches I was eating. They were regular sandwiches, but since we here, they’re 808 sandwiches.

The delivery chain has since changed – it no longer uses /p/land.php for the first stage, and the final step in the initial delivery stage has changed from /wp-content/uploads/update.php to /wp-includes/pomo/update.php. We speculate that we first started monitoring this variant during its development. The JS code wasn’t obfuscated, and we observed them bypassing some of their filtering methods by hardcoding the IP variable. This intro has drawn on “fir tiw long”, let’s get into it.

Initial:

When we found this, we searched if anyone had already wrote about this for us to use as a source. We observed Group-IB Threat Intelligence had tweeted some good content here. You can pivot off the domains they provided and see if you come to the same conclusions.

First part of the delivery chain:

The first part crafts the request for the fake update page loader. The code to perform this task was previously been observed in the root HTML, a local jquery-migrate.min.js file, a local theme.min.js files, or most recently – a remote adcount.js (edveha[.]com).

This part involves pulling the IP using the Cloudflare trace, and then encoding that with other variables, and using those variables in the URL of the GET request for the next phase. This stage has been observed requesting content from  a remote land.php resource (previously land.php, now it is a remote js.php). It returns the html [if the request meets some unknown filters] to load the fake update screen that tries to trick the user into clicking the download button. The early observed samples show the code was not obfuscated, which made it much easier to understand.

It appears that the land.php endpoint was actor-owned in the beginning.

The snip below shows the callout to “https://www.cloudflare.com/cdn-cgi/trace“. The returned object will be parsed for the user’s public IP, and that will be encoded and used in the URI path of the next request. The snip is from https://urlscan.io/responses/1c7a68c7d4560860ee83d0f10a7e93000eb2d213d7e72dffef784d7b81ffefc7/

The snip below shows the function to get the OS, then it generates a request to land.php with the btoa values of the uDevice(OS), IP, refferer [sic], UA, domain, and location in the URL value. The snip is also from https://urlscan.io/responses/1c7a68c7d4560860ee83d0f10a7e93000eb2d213d7e72dffef784d7b81ffefc7/

The snip above shows the early stages of it when we suspect the actor was actively developing this delivery chain. The code for this part is now obfuscated. Also, it is now generating a request to an external js.php resource as observed in the snip below.

In later variations, we’ve observed the domain is no longer hard-coded. To get the domain, there is a callout to a remote get.php resource.

The snip below shows the network tab showing these requests.

The snip below shows the code to open a request to the B64 decoded value of requestD.

The snip below shows the CyberChef output decoding the string.

septicfl[.]com/h/get.php was observed serving the response “aHR0cHM6Ly9hc2hsZXlwdWVybmVyLmNvbS9w” which converts to the unneutered version of “https[:]//ashleypuerner[.]com/p”

After the code is executed, a cookie is added. In some variations it is the isDone value, and in other variations it is the isVisited11 value. The snip below shows the isDone value is being set to true after the execution.

The cookie is set to expire in 4 days. When the victim re-accesses the compromised domain, it will first check if the cookie already exists. If it does, it will not perform the follow-on tasks.

Here are some snips below showing the cookie operations.

In early iterations, if the delivery failed, the page would turn blank because it would rewrite the html content with nothing. This cookie check feature allowed the user to load the compromised site by refreshing the page.

In newer iterations, the actor has implemented code to handle the failed request. In the snip below, we observe that it now prints “JQUERY is installed” to the console, and then it reloads the page.

The fake update page:

We have observed the following basic, no-frills fake update page.

The link target was first observed to be a resource that ends with /wp-content/upgrade/update.php, but it has more recently been observed using /wp-includes/pomo/update.php.

The payload:

The payload was initially observed as a JS file, but it has also been observed as an EXE, and MSIX, and then back to an EXE file. It appears the operators change the file type around every few weeks.

It appears that the endpoint serving the payload may be actor-controlled.

One of the JS payload variations appeared to be a downloader that loaded the next stage from dovuzu3rz[.]top/1.php?s=spam. However, at the time of testing, it appeared that the domain was down.

One variation of the EXE payload was observed in Any Run triggering an ET alert “Neshta Variant Related Activity”. This occurred when the sample beaconed to 64[.]95.10.243/api/mytest.

The payloads deserve more attention, but we’ve decided to keep the focus of this effort on the delivery chain. “That was by design”. We’ve included a list of hashes in the IOCs below. We’ve confirmed each hash is in VT for your perusing.

IOCs:

Domains:

Suspected compromised domains that initiate requests for the fake update content:

razzball[.]com => edveha[.]com/adcount.js (as of 28JUN24)

monitor[.]icef[.]com => uhsee[.]com/p/land.php (as of 08MAY24)

monitor[.]icef[.]com => septicfl[.]com/h/get.php (as of 04JUN24)

careers-advice-online[.]com => uhsee[.]com/p/land.php (as of 26MAY24)

www[.]ecowas[.]int => edveha[.]com/adcount.js (as of 13JUN24)

   Note: this domain was previously observed delivering SG via the delivery chain: www[.]ecowas[.]int => egisela[.]com (Keitaro TDS) => event[.]coachgreb[.]com (SocGholish domain) (as of 13MAR24)

sixpoint[.]com => zoomzle[.]com/p/land.php (as of 10JUN24)

sixpoint[.]com => elamoto[.]com/p/land.php (as of 07APR24)

www[.]eco-bio-systems[.]de => kongtuke.com/p/land.php (as of 26MAY24)

evolverangesolutions[.]com => uhsee.com/p/land.php (as of 04JUN24)

www[.]natlife[.]de => kongtuke.com/p/land.php (as of 22JUN24)

www[.]sunkissedindecember[.]com => uhsee.com/p/land.php (as of 30MAY24)

fajardo[.]inter[.]edu => kongtuke.com/p/land.php (as of 27APR24)

fup[.]edu[.]co => kongtuke.com/p/land.php (as of 27APR24)

lauren-nelson[.]com => elamoto[.]com/p/land.php (as of 30MAY24)

www[.]netzwerkreklame[.]de => kongtuke.com/p/land.php (as of 10JUN24)

digimind[.]nl => kongtuke.com/p/land.php (as of 21JUN24)

www[.]itslife[.]in => kongtuke.com/p/land.php (as of 29MAY24)

ecohortum[.]com => kongtuke.com/p/land.php (as of 29MAY24)

www[.]thecreativemom[.]com => uhsee.com/p/land.php (as of 21MAY24)

backalleybikerepair[.]com => uhsee.com/p/land.php (as of 24JUN24)

www[.]mocanyc[.]org => uhsee.com/p/land.php (as of 22MAY24)

www[.]mocanyc[.]org => edveha[.]com/adcount.js (as of 01JUL24)

www[.]acsmaterial[.]com: for this one, we were unable to confirm this domain; we added it because of the excerpt in the snip below shows that it once included the code. By the time we accessed it, it no longer had the LandUpdate808 code as seen below.

www[.]hypnoticasia[.]com => ashleypuerner.com/p/land.php (as of 02JUN24)

gov2x[.]com => edveha[.]com/adcount.js (as of 20JUN24)

sollishealth[.]com => edveha[.]com/adcount.js => edveha[.]com/js.php => espumadesign.com//wp-content/upgrade/update.php (as of 18JUN24)

michiganchronicle[.]com => edveha[.]com/adcount.js (as of 27JUN24)

www[.]parksavers[.]com => edveha[.]com/adcount.js (as of 27JUN24)

perryssteakhouse[.]com => edveha[.]com/adcount.js (as of 27JUN24)

cdoiq2024[.]org => edveha[.]com/adcount.js (as of 26JUN24)

www[.]ccl[.]org => edveha[.]com/adcount.js (as of 25JUN24)

my[.]networknuts[.]net => edveha[.]com/adcount.js (as of 18JUN24)

www[.]cheericca[.]org => edveha[.]com/adcount.js (as of 15JUN24)

www[.]mrsbrimbles[.]co[.]uk => septicfl[.]com/h/get[.]php => ashleypuerner.com/p/land.php (as of 29MAY24)

vanillajoy[.]themlmlife[.]com => ashleypuerner.com/p/land.php (as of 29MAY24)

blacksportsonline[.]com => ashleypuerner.com/p/land.php (as of 21JUN24)

www[.]barcaforum[.]com => ashleypuerner.com/p/land.php (as of 04JUN24)

criminalnotebook[.]ca/index.php/Main_Page => ashleypuerner.com/p/land.php (as of 30MAY24)

Domains observed serving the Fake Update page code:

kongtuke[.]com

uhsee[.]com

zoomzle[.]com

elamoto[.]com

ashleypuerner[.]com

edveha[.]com

Domains observed serving malicious payloads:

www[.]netzwerkreklame[.]de/wp-content/upgrade/update.php EXE with SHA256:5685ab9d495bcb14407dd23a83790a76ed1a149cac651f2b792bc775ff4cf732 (as of 24MAY24)

digimind[.]nl/wp-content/upgrade/update.php JS with SHA256:db7827bb6788f0a7dae5ef2dc0f3c389ab2616fabed27d646b09ecceb7c1eea9 (as of 05JUN24)

monlamdesigns[.]com/wp-content/upgrade/update.php EXE with SHA256:e45802322835286cfe3993fe8e49a793acd705755d57d8fc007341bf3b842518 (as of 29MAY24)

sustaincharlotte[.]org/wp-content/upgrade/update.php JS with SHA256:4ea6b1bbf04591a975196fac9baa7d42882fdbcde5e264f01d4e94416cef92fc (as of 31MAY24)

chicklitplus[.]com/wp-content/upgrade/update.php MSIX with SHA256:08d4a681aadff5681947514509c1f2af10ff8161950df2ae7f8ee214213edc17 (as of 17JUN24)

espumadesign[.]com/wp-content/upgrade/update.php MSIX with SHA256:3802c396e836de94ee13e38326b3fb937fcf0d6f6ef9ccdf77643be65de4c8ee (as of 21JUN24)

owloween[.]com/wp-content/uploads/update.php JS with SHA256:89002670cc7207a5e9424e932611e617d2e2048ceb8c579c85c3ec14aac8d924 (as of 24JUN24)

wildwoodpress.org/wp-includes/pomo/update.php MSIX with SHA256:63629c87fe460abb657a504bb9786b913b1250288681520cee9e9fbcb14e888f (as of 25JUN24)

www[.]napcis[.]org/wp-includes/pomo/update.php MSIX with SHA256:69d267234d62fd6ffd1c6a12b36835b1454dce4a6df1b370e549e275961ae235 (as of 28JUN24)

www[.]sunkissedindecember[.]com/wp-includes/pomo/update.php MSIX with SHA256:69d267234d62fd6ffd1c6a12b36835b1454dce4a6df1b370e549e275961ae235 (as of 01JUL24)

rm-arquisign[.]com/wp-includes/pomo/update.php EXE with SHA256:125b397a627f37c70e2cf2461c6a6583a975ba78617995751cacb32525a3b875 (as of 01JUL24)

Domains that we haven’t observed doing anything malicious, but we suspect are related and are good candidates for monitoring:

barcelonafcblog[.]com

destinationsunknown[.]com

table[.]fastplot[.]net

padlock[.]locksmithlibertygrove[.]com[.]au

balm[.]4rt[.]eu

k[.]ajigili[.]ir