Date: 01/16/2025
Severity: High
Summary
KongTuke involves an injected script that causes associated websites to display fake "verify you are human" pages. These deceptive pages load the victim's Windows clipboard with a malicious PowerShell script and provide detailed instructions, urging victims to paste and execute the script in a Run window. This tactic is part of a campaign commonly tracked as #KongTuke.
Indicators of Compromise (IOC) List
Domains\Urls : | https://prpages.com/4e2e.js https://prpages.com/js.php?device=windows&ip=[base64 text]&refferer=[base64 text]==&browser=[base64 text]&ua=[base64 text]&domain=[base64 text]==&loc=[base64 text]&is_ajax=1 http://lggknhaffleahbh.top/1.php?s=527;iex $global:block.content lggknhaffleahbh.top adlndb2k9too7vt.top rosettahome.top rosettahome.cn |
IP Address : | 45.61.136.138 5.161.229.58 64.52.80.211 104.238.61.8 |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Domains\Urls : | userdomainname like "rosettahome.top" or url like "rosettahome.top" or userdomainname like "adlndb2k9too7vt.top" or url like "adlndb2k9too7vt.top" or userdomainname like "rosettahome.cn" or url like "rosettahome.cn" or userdomainname like "https://prpages.com/4e2e.js" or url like "https://prpages.com/4e2e.js" or userdomainname like "lggknhaffleahbh.top" or url like "lggknhaffleahbh.top" or userdomainname like "https://prpages.com/js.php?device=windows&ip" or url like "https://prpages.com/js.php?device=windows&ip" or userdomainname like "http://lggknhaffleahbh.top/1.php?s=527;iex" or url like "http://lggknhaffleahbh.top/1.php?s=527;iex" |
IP Address : | dstipaddress IN ("45.61.136.138","5.161.229.58","104.238.61.8","64.52.80.211") or ipaddress IN ("45.61.136.138","5.161.229.58","104.238.61.8","64.52.80.211") or publicipaddress IN ("45.61.136.138","5.161.229.58","104.238.61.8","64.52.80.211") or srcipaddress IN ("45.61.136.138","5.161.229.58","104.238.61.8","64.52.80.211") |
Reference:
https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-01-13-IOCs-for-Kongtuke-activity.txt