INFRASTRUCTURE UPDATES FOR APATEWEB CAMPAIGN

    Thursday, November 21, 2024 In: Threat Research Print

    Date: 11/21/2024

    Severity: Medium

    Summary

    The ApateWeb campaign has significantly expanded its infrastructure in 2024, with over 2,400 new domains emerging this year alone. This increase, coupled with the discovery of 5 new IP addresses hosting its entry points, signals a growing threat. The campaign continues to register more than 200 domains each month, using random English word combinations with a .com TLD. These updates indicate that the threat actors behind ApateWeb are intensifying their efforts to distribute scareware and potentially unwanted programs (PUPs), making detection and mitigation more challenging.

    Indicators of Compromise (IOC) List

    URL/Domain

    conceivesaucerfalcon.com

    scholarsslate.com

    swingdeceive.com

    viablehornsborn.com

    budgepenitent.com

    percentagesubsequentprosper.com

    scholarslate.com

    sausagefaithfemales.com

    bunabsence.com

    inclinedallusionnearby.com

    kindlygateway.com

    settlementlaying.com

    turniptriumphantanalogy.com

    crackbrilliancegown.com

    definiteeverblizzard.com

    decisionsensation.com

    heroismvarnish.com

    immoderatetender.com

    nicecartrigezip.com

    drakerecitalpraised.com

    hungerblackenunequal.com

    flatjeep.com

    shovegrave.com

    easterobsessive.com

    frameworkprogenybreastfeeding.com

    ghostnimblefrecklessfreckless.com

    harshlyfraternity.com

    harvestexcavator.com

    flyernovelty.com

    highperformanceformat.com

    intendemploy.com

    rabbitssignaturegrumble.com

    valestumble.com

    deploymentbalance.com

    larvamellow.com

    appearshundred.com

    panelghostscontractor.com

    stuffygirlie.com

    cleavertowardinformal.com

    coherentchuckled.com

    playsnourishbag.com

    recommendedblanket.com

    shamelessappellation.com

    shrewdcrumple.com

    brooksuitcase.com

    mankinddemocrat.com

    ownershornyplatitude.com

    workplaceanticipatedtribe.com

    detectivegrilled.com

    installationtruckuseful.com

    actglimpse.com

    detrimentalspark.com

    isobeldrug.com

    paritycreepercar.com

    discourageabjure.com

    everyoneprocessingworse.com

    federalacerbitylid.com

    researchingdestroy.com

    anybodyroutinefickle.com

    hatredappointsinging.com

    flockexecute.com

    https://budgepenitent.com/30/51/01/305101d66cd36c4a78b3655b260865ae.js

    https://conceivesaucerfalcon.com/9a/d6/93/9ad69306106b6973bcafe40ac0d2d6ca.js

    https://crackbrilliancegown.com/a5/21/5e/a5215ef0ecc7fe67eddb0d06da117587.js

    https://detectivegrilled.com/2c/03/60/2c0360ed33b0b4736859081c701f9a91.js

    https://kindlygateway.com/9d/9c/86/9d9c860636b52354b9d04ae0c7ea1af0.js

    https://panelghostscontractor.com/d8/00/23/d80023a5828b0e72461b8a871c06f929.js

    https://percentagesubsequentprosper.com/30/51/01/305101d66cd36c4a78b3655b260865ae.js

    https://recommendedblanket.com/2d/27/25/2d27255cab20c847b3a41dd1d11cd631.js

    https://sausagefaithfemales.com/15/ae/6c/15ae6c9abdee9221202fef11df7683f4.js

    https://sausagefaithfemales.com/79/dc/36/79dc36023c5ec5df9ca870f6e557b2cb.js

    https://scholarsslate.com/30/51/01/305101d66cd36c4a78b3655b260865ae.js

    https://shamelessappellation.com/2d/27/25/2d27255cab20c847b3a41dd1d11cd631.js

    https://shamelessappellation.com/73/0e/40/730e401eb387477f393579127aed718f.js

    https://shrewdcrumple.com/2d/27/25/2d27255cab20c847b3a41dd1d11cd631.js

    https://swingdeceive.com/4d/be/e5/4dbee55e59fc95ea4356dbb197f2132c.js

    https://viablehornsborn.com/46/13/76/461376390131460d2543a2334b5021e2.js

    IP Address

    172.240.108.68

    172.240.108.76

    172.240.108.84

    172.240.127.234

    172.240.253.132

    192.243.59.12

    192.243.59.13

    192.243.59.20

    192.243.61.225

    192.243.61.227

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    userdomainname like "federalacerbitylid.com" or url like "federalacerbitylid.com" or userdomainname like "rabbitssignaturegrumble.com" or url like "rabbitssignaturegrumble.com" or userdomainname like "brooksuitcase.com" or url like "brooksuitcase.com" or userdomainname like "anybodyroutinefickle.com" or url like "anybodyroutinefickle.com" or userdomainname like "easterobsessive.com" or url like "easterobsessive.com" or userdomainname like "valestumble.com" or url like "valestumble.com" or userdomainname like "budgepenitent.com" or url like "budgepenitent.com" or userdomainname like "inclinedallusionnearby.com" or url like "inclinedallusionnearby.com" or userdomainname like "discourageabjure.com" or url like "discourageabjure.com" or userdomainname like "scholarsslate.com" or url like "scholarsslate.com" or userdomainname like "shrewdcrumple.com" or url like "shrewdcrumple.com" or userdomainname like "shamelessappellation.com" or url like "shamelessappellation.com" or userdomainname like "percentagesubsequentprosper.com" or url like "percentagesubsequentprosper.com" or userdomainname like "everyoneprocessingworse.com" or url like "everyoneprocessingworse.com" or userdomainname like "viablehornsborn.com" or url like "viablehornsborn.com" or userdomainname like "deploymentbalance.com" or url like "deploymentbalance.com" or userdomainname like "playsnourishbag.com" or url like "playsnourishbag.com" or userdomainname like "shovegrave.com" or url like "shovegrave.com" or userdomainname like "coherentchuckled.com" or url like "coherentchuckled.com" or userdomainname like "harvestexcavator.com" or url like "harvestexcavator.com" or userdomainname like "hungerblackenunequal.com" or url like "hungerblackenunequal.com" or userdomainname like "kindlygateway.com" or url like "kindlygateway.com" or userdomainname like "sausagefaithfemales.com" or url like "sausagefaithfemales.com" or userdomainname like "highperformanceformat.com" or url like "highperformanceformat.com" or userdomainname like "cleavertowardinformal.com" or url like "cleavertowardinformal.com" or userdomainname like "swingdeceive.com" or url like "swingdeceive.com" or userdomainname like "conceivesaucerfalcon.com" or url like "conceivesaucerfalcon.com" or userdomainname like "mankinddemocrat.com" or url like "mankinddemocrat.com" or userdomainname like "heroismvarnish.com" or url like "heroismvarnish.com" or userdomainname like "paritycreepercar.com" or url like "paritycreepercar.com" or userdomainname like "settlementlaying.com" or url like "settlementlaying.com" or userdomainname like "https://percentagesubsequentprosper.com/30/51/01/305101d66cd36c4a78b3655b260865ae.js" or url like "https://percentagesubsequentprosper.com/30/51/01/305101d66cd36c4a78b3655b260865ae.js" or userdomainname like "turniptriumphantanalogy.com" or url like "turniptriumphantanalogy.com" or userdomainname like "detectivegrilled.com" or url like "detectivegrilled.com" or userdomainname like "actglimpse.com" or url like "actglimpse.com" or userdomainname like "hatredappointsinging.com" or url like "hatredappointsinging.com" or userdomainname like "flockexecute.com" or url like "flockexecute.com" or userdomainname like "flatjeep.com" or url like "flatjeep.com"

    Detection Query 2

    userdomainname like "scholarslate.com" or url like "scholarslate.com" or userdomainname like "bunabsence.com" or url like "bunabsence.com" or userdomainname like "crackbrilliancegown.com" or url like "crackbrilliancegown.com" or userdomainname like "definiteeverblizzard.com" or url like "definiteeverblizzard.com" or userdomainname like "decisionsensation.com" or url like "decisionsensation.com" or userdomainname like "immoderatetender.com" or url like "immoderatetender.com" or userdomainname like "nicecartrigezip.com" or url like "nicecartrigezip.com" or userdomainname like "drakerecitalpraised.com" or url like "drakerecitalpraised.com" or userdomainname like "frameworkprogenybreastfeeding.com" or url like "frameworkprogenybreastfeeding.com" or userdomainname like "ghostnimblefrecklessfreckless.com" or url like "ghostnimblefrecklessfreckless.com" or userdomainname like "harshlyfraternity.com" or url like "harshlyfraternity.com" or userdomainname like "flyernovelty.com" or url like "flyernovelty.com" or userdominname like "intendemploy.com" or url like "intendemploy.com" or userdomainname like "larvamellow.com" or url like "larvamellow.com" or userdomainname like "appearshundred.com" or url like "appearshundred.com" or userdomianname like "panelghostscontractor.com" or url like "panelghostscontractor.com" or userdomainname like "stuffygirlie.com" or url like "stuffygirlie.com" or userdomainname like "recommendedblanket.com" or url like "recommendedblanket.com" or userdomainname like "ownershornyplatitude.com" or url like "ownershornyplatitude.com" or userdomainname like "workplaceanticipatedtribe.com" or url like "workplaceanticipatedtribe.com" or userdomainname like "installationtruckuseful.com" or url like "installationtruckuseful.com" or userdomainname like "detrimentalspark.com" or url like "detrimentalspark.com" or userdomainname like "isobeldrug.com" or url like "isobeldrug.com" or userdomainname like "researchingdestroy.com" or url like "researchingdestroy.com" or userdomainname like "https://budgepenitent.com/30/51/01/305101d66cd36c4a78b3655b260865ae.js" or url like "https://budgepenitent.com/30/51/01/305101d66cd36c4a78b3655b260865ae.js" or userdominname like "https://conceivesaucerfalcon.com/9a/d6/93/9ad69306106b6973bcafe40ac0d2d6ca.js" or url like "https://conceivesaucerfalcon.com/9a/d6/93/9ad69306106b6973bcafe40ac0d2d6ca.js" or userdomainname like "https://crackbrilliancegown.com/a5/21/5e/a5215ef0ecc7fe67eddb0d06da117587.js" or url like "https://crackbrilliancegown.com/a5/21/5e/a5215ef0ecc7fe67eddb0d06da117587.js" or userdomainname like "https://detectivegrilled.com/2c/03/60/2c0360ed33b0b4736859081c701f9a91.js" or url like "https://detectivegrilled.com/2c/03/60/2c0360ed33b0b4736859081c701f9a91.js" or userdomainname like "https://kindlygateway.com/9d/9c/86/9d9c860636b52354b9d04ae0c7ea1af0.js" or url like "https://kindlygateway.com/9d/9c/86/9d9c860636b52354b9d04ae0c7ea1af0.js" or userdomainname like "https://panelghostscontractor.com/d8/00/23/d80023a5828b0e72461b8a871c06f929.js" or url like "https://panelghostscontractor.com/d8/00/23/d80023a5828b0e72461b8a871c06f929.js" or userdomainname like "https://percentagesubsequentprosper.com/30/51/01/305101d66cd36c4a78b3655b260865ae.js" or url like "https://percentagesubsequentprosper.com/30/51/01/305101d66cd36c4a78b3655b260865ae.js" or userdomainname like "https://recommendedblanket.com/2d/27/25/2d27255cab20c847b3a41dd1d11cd631.js" or url like "https://recommendedblanket.com/2d/27/25/2d27255cab20c847b3a41dd1d11cd631.js" or userdomainname like "https://sausagefaithfemales.com/15/ae/6c/15ae6c9abdee9221202fef11df7683f4.js" or url like "https://sausagefaithfemales.com/15/ae/6c/15ae6c9abdee9221202fef11df7683f4.js" or userdomainname like "https://sausagefaithfemales.com/79/dc/36/79dc36023c5ec5df9ca870f6e557b2cb.js" or url like "https://sausagefaithfemales.com/79/dc/36/79dc36023c5ec5df9ca870f6e557b2cb.js" or userdomainname like "https://scholarsslate.com/30/51/01/305101d66cd36c4a78b3655b260865ae.js" or url like "https://scholarsslate.com/30/51/01/305101d66cd36c4a78b3655b260865ae.js" or userdomainname like "https://shamelessappellation.com/2d/27/25/2d27255cab20c847b3a41dd1d11cd631.js" or url like "https://shamelessappellation.com/2d/27/25/2d27255cab20c847b3a41dd1d11cd631.js" or userdomainname like "https://shamelessappellation.com/73/0e/40/730e401eb387477f393579127aed718f.js" or url like "https://shamelessappellation.com/73/0e/40/730e401eb387477f393579127aed718f.js" or userdomainname like "https://shrewdcrumple.com/2d/27/25/2d27255cab20c847b3a41dd1d11cd631.js" or url like "https://shrewdcrumple.com/2d/27/25/2d27255cab20c847b3a41dd1d11cd631.js" or userdomainname like "https://swingdeceive.com/4d/be/e5/4dbee55e59fc95ea4356dbb197f2132c.js" or url like "https://swingdeceive.com/4d/be/e5/4dbee55e59fc95ea4356dbb197f2132c.js" or userdomainname like "https://viablehornsborn.com/46/13/76/461376390131460d2543a2334b5021e2.js"

    Detection Query 3

    dstipaddress IN ("172.240.108.76","172.240.127.234","192.243.59.12","192.243.59.13","192.243.61.227","172.240.108.68","172.240.253.132","172.240.108.84","192.243.59.20","192.243.61.225") or ipaddress IN ("172.240.108.76","172.240.127.234","192.243.59.12","192.243.59.13","192.243.61.227","172.240.108.68","172.240.253.132","172.240.108.84","192.243.59.20","192.243.61.225") or publicipaddress IN ("172.240.108.76","172.240.127.234","192.243.59.12","192.243.59.13","192.243.61.227","172.240.108.68","172.240.253.132","172.240.108.84","192.243.59.20","192.243.61.225") or srcipaddress IN ("172.240.108.76","172.240.127.234","192.243.59.12","192.243.59.13","192.243.61.227","172.240.108.68","172.240.253.132","172.240.108.84","192.243.59.20","192.243.61.225")

    Reference: 

    https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-11-19-IOC-updates-for-ApateWeb-campaign.txt 


    Tags

    ApateWebTLDPUPs

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.