FAKE CLOCKIFY SITE PUSHES BOTH WINDOWS AND MAC MALWARE

    Thursday, October 10, 2024 In: Threat Research Print

    Date: 10/10/2024

    Severity: High

    Summary

    On October 8, 2024, we identified a malicious Google ad directing users to a fake Clockify site that spreads malware. The site offered two downloads: a changing 704 kB DMG file for macOS that exfiltrates data and a consistent 115.7 MB executable for Windows. The macOS file contains a Mach-O executable that requires user interaction for installation, while the Windows file includes a 116.5 MB MSI installer for Clockify and Lumma Stealer. The Windows infection retrieves Lumma Stealer from a password-protected RAR file.

    Indicators of Compromise (IOC) List

    Domains\Urls :

    http://193.3.168.112/forra.rar

    https://apunanwu.com/kusaka.php?call=clockify

    https://sergei-esenin.com/api

    https://steamcommunity.com/profiles/76561199724331900

    https://www-clockify.me/

    https://www-clockify.me/Clockify(3.02)

    apunanwu.com

    assaultxnh.site

    bathdoomgaz.store

    clearancek.site

    dissapoiznw.store

    eaglepawnoy.store

    licendfilteo.site

    mobbipenju.store

    sergei-esenin.com

    spirittunek.store

    steamcommunity.com

    studennotediw.store

    www-clockify.me

    IP Address : 

    193.3.168.112

    85.209.11.155

    Hash : 

    1505254870f2561ddda8f73be9147023469b27a543eb39551439c46fbae9b976

2212040d4afc5e1fb2a499f48c17f92253f5f6f9863989f9181e99ba5dcff1cb

3ac8630aba1a0315bc77816b4ffaaaeb061d033d33e1aa4db70c1c1ad9471fe7

9842c0a49ea0cd22ca91f78b2cedd35ffe12bab7dbdcdb4c20cc16af50a02b3c

adcb5c3d4f777b01655cfa0c4be4a9d3ad1345a94f5e1cdab50fdb052e7b3769

c34d93400a47b4fbaa39586467aae94c23d5c2a16929e03836e184c0819b98f9

c4392b06441a0826933e8a7cc36d29b5b42a94ec6d37cd35039e92dddc67c7a8

c8bc08c9792c853ce913b2ea0ce87b67ae8ffec7ea92c248fdbf33959184f3ae

d723f7bb031b36dbd5ab0f3d9bb7b995569dea439edfbe66a9f8999c1a0ce562

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains\Urls : 

    userdomainname like "https://sergei-esenin.com/api" or url like "https://sergei-esenin.com/api" or userdomainname like "https://www-clockify.me/" or url like "https://www-clockify.me/" or userdomainname like "www-clockify.me" or url like "www-clockify.me" or userdomainname like "http://193.3.168.112/forra.rar" or url like "http://193.3.168.112/forra.rar" or userdomainname like "sergei-esenin.com" or url like "sergei-esenin.com" or userdomainname like "licendfilteo.site" or url like "licendfilteo.site" or userdomainname like "studennotediw.store" or url like "studennotediw.store" or userdomainname like "https://steamcommunity.com/profiles/76561199724331900" or url like "https://steamcommunity.com/profiles/76561199724331900" or userdomainname like "apunanwu.com" or url like "apunanwu.com" or userdomainname like "bathdoomgaz.store" or url like "bathdoomgaz.store" or userdomainname like "spirittunek.store" or url like "spirittunek.store" or userdomainname like "clearancek.site" or url like "clearancek.site" or userdomainname like "mobbipenju.store" or url like "mobbipenju.store" or userdomainname like "assaultxnh.site" or url like "assaultxnh.site" or userdomainname like "https://apunanwu.com/kusaka.php?call=clockify" or url like "https://apunanwu.com/kusaka.php?call=clockify" or userdomainname like "https://www-clockify.me/Clockify(3.02)" or url like "https://www-clockify.me/Clockify(3.02)" or userdomainname like "dissapoiznw.store" or url like "dissapoiznw.store" or userdomainname like "eaglepawnoy.store" or url like "eaglepawnoy.store" or userdomainname like "steamcommunity.com" or url like "steamcommunity.com"

    IP Address : 

    dstipaddress IN ("193.3.168.112","85.209.11.155") or ipaddress IN ("193.3.168.112","85.209.11.155") or publicipaddress IN ("193.3.168.112","85.209.11.155") or srcipaddress IN ("193.3.168.112","85.209.11.155")

    Hash :

    sha256hash IN ("c8bc08c9792c853ce913b2ea0ce87b67ae8ffec7ea92c248fdbf33959184f3ae","9842c0a49ea0cd22ca91f78b2cedd35ffe12bab7dbdcdb4c20cc16af50a02b3c","adcb5c3d4f777b01655cfa0c4be4a9d3ad1345a94f5e1cdab50fdb052e7b3769","c34d93400a47b4fbaa39586467aae94c23d5c2a16929e03836e184c0819b98f9","d723f7bb031b36dbd5ab0f3d9bb7b995569dea439edfbe66a9f8999c1a0ce562","1505254870f2561ddda8f73be9147023469b27a543eb39551439c46fbae9b976","2212040d4afc5e1fb2a499f48c17f92253f5f6f9863989f9181e99ba5dcff1cb","3ac8630aba1a0315bc77816b4ffaaaeb061d033d33e1aa4db70c1c1ad9471fe7","c4392b06441a0826933e8a7cc36d29b5b42a94ec6d37cd35039e92dddc67c7a8")

    Reference:

    https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-11-08-IOCs-for-malware-from-fake-Clockify-site.txt


    Tags

    MalwareLumma Stealer

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.