Kongtuke Leads to Infection Abusing Bionic

    Date: 01/16/2025

    Severity: High

    Summary

    KongTuke involves an injected script that causes associated websites to display fake "verify you are human" pages. These deceptive pages load the victim's Windows clipboard with a malicious PowerShell script and provide detailed instructions, urging victims to paste and execute the script in a Run window. This tactic is part of a campaign commonly tracked as #KongTuke.

    Indicators of Compromise (IOC) List

    Domains\Urls :

    https://prpages.com/4e2e.js

    https://prpages.com/js.php?device=windows&ip=[base64 text]&refferer=[base64 text]==&browser=[base64 text]&ua=[base64 text]&domain=[base64 text]==&loc=[base64 text]&is_ajax=1

    http://lggknhaffleahbh.top/1.php?s=527;iex $global:block.content

    lggknhaffleahbh.top

    adlndb2k9too7vt.top

    rosettahome.top

    rosettahome.cn

    IP Address :

    45.61.136.138

    5.161.229.58

    64.52.80.211

    104.238.61.8

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains\Urls :

    userdomainname like "rosettahome.top" or url like "rosettahome.top" or userdomainname like "adlndb2k9too7vt.top" or url like "adlndb2k9too7vt.top" or userdomainname like "rosettahome.cn" or url like "rosettahome.cn" or userdomainname like "https://prpages.com/4e2e.js" or url like "https://prpages.com/4e2e.js" or userdomainname like "lggknhaffleahbh.top" or url like "lggknhaffleahbh.top" or userdomainname like "https://prpages.com/js.php?device=windows&ip" or url like "https://prpages.com/js.php?device=windows&ip" or userdomainname like "http://lggknhaffleahbh.top/1.php?s=527;iex" or url like "http://lggknhaffleahbh.top/1.php?s=527;iex"

    IP Address  :

    dstipaddress IN ("45.61.136.138","5.161.229.58","104.238.61.8","64.52.80.211") or ipaddress IN ("45.61.136.138","5.161.229.58","104.238.61.8","64.52.80.211") or publicipaddress IN ("45.61.136.138","5.161.229.58","104.238.61.8","64.52.80.211") or srcipaddress IN ("45.61.136.138","5.161.229.58","104.238.61.8","64.52.80.211")

    Reference:   

    https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-01-13-IOCs-for-Kongtuke-activity.txt


    Tags

    MalwareKONGTUKEBOINC

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags