ETHERHIDING POPUPS STILL ACTIVE

    Monday, September 9, 2024 In: Threat Research Print

    Date: 09/09/2024

    Severity: High

    Summary

    We continue to find websites with injected code that uses "EtherHiding" to create popup windows for fake browser updates. This issue has been observed in infection chains known as "ClearFake" and "ClickFix," though we have not yet identified the specific malware associated with this chain. For details on a ClickFix infection chain reported in June 2024, visit:  https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-06-24-IOCs-for-ClickFix-pushing-Lumma-Stealer.txt  

    Further information on EtherHiding techniques can be found at:  

    https://labs.guard.io/etherhiding-hiding-web2-malicious-code-in-web3-smart-contracts-65ea78efad16

    Indicators of Compromise (IOC) List

    Domains/URLs

    texaschili.com

    https://bitbucket.org/browserupdater/download/downloads/UpdateFix.exe

    https://bitbucket.org/browserupdater/download/downloads/UpdateMe.exe

    didacfranquet.com

    https://bitbucket.org/browserupdater/download/downloads/UpdateNow.exe

    dioz.com

    https://bsc-dataseed1.binance.org/

    https://dais7nsa.shop/endpoint

    allalert.com

    bordercollie.app

    esugolfcarts.com

    gurushop.me

    Hash

    2c8f611b0f2c157f010c20379d4fcd725a8c462a8d226ae0095e3e0fb110ddbe

7eede0e13ed9990afb465c2f612d85bc10c946dd2419323528a58707cef62899

6976c3e0ffbbbbb310995e70f24bf9501d017279d865ac4536aee25b316a92de

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    userdomainname like "texaschili.com" or url like "texaschili.com" or userdomainname like "https://bitbucket.org/browserupdater/download/downloads/UpdateFix.exe" or url like "https://bitbucket.org/browserupdater/download/downloads/UpdateFix.exe" or userdomainname like "https://bitbucket.org/browserupdater/download/downloads/UpdateMe.exe" or url like "https://bitbucket.org/browserupdater/download/downloads/UpdateMe.exe" or userdomainname like "didacfranquet.com" or url like "didacfranquet.com" or userdomainname like "https://bitbucket.org/browserupdater/download/downloads/UpdateNow.exe" or url like "https://bitbucket.org/browserupdater/download/downloads/UpdateNow.exe" or userdomainname like "dioz.com" or url like "dioz.com" or userdomainname like "allalert.com" or url like "allalert.com" or userdomainname like "bordercollie.app" or url like "bordercollie.app" or userdomainname like "esugolfcarts.com" or url like "esugolfcarts.com" or userdomainname like "gurushop.me" or url like "gurushop.me" or userdomainname like "https://bsc-dataseed1.binance.org/" or url like "https://bsc-dataseed1.binance.org/" or userdomainname like "https://dais7nsa.shop/endpoint" or url like "https://dais7nsa.shop/endpoint" 

    Detection Query 2

    sha256hash IN ("2c8f611b0f2c157f010c20379d4fcd725a8c462a8d226ae0095e3e0fb110ddbe","7eede0e13ed9990afb465c2f612d85bc10c946dd2419323528a58707cef62899","6976c3e0ffbbbbb310995e70f24bf9501d017279d865ac4536aee25b316a92de")

    Reference:

    https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-09-04-IOCs-for-EtherHiding-popups.txt  

    https://www.linkedin.com/posts/unit42_etherhiding-timelythreatintel-unit42threatintel-activity-7237480630425370624-VkuR 

    https://x.com/Unit42_Intel/status/1831715000437571816


    Tags

    Malware

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.