Date: 02/26/2025
Severity: High
Summary
"The Dark Side of Clickbait: How Fake Video Links Deliver Malware" highlights a surge in phishing campaigns that use fake viral video links to trick users into downloading malware. The attack relies on social engineering, redirecting victims through multiple malicious websites before delivering the payload. Users are enticed with promises of exclusive content, leading them to fraudulent pages and deceptive download links.
Indicators of Compromise (IOC) List
URL/Domain | https://gitb.org/watch-click/?=archive https://viralxgo.com/watch-full-video/ https://purecopperapp.monster/indexind.php?flow_id=107&aff_click_id=D-21356743-1737975550-34G123G137G124-AITLS2195&keyword=Yourfile&ip=115.118.240.109&sub=22697121&source=157764 https://wlanpremiumapp.monster/indexind.php?flow_id=107&aff_click_id=D-21356743-1739353595-34G134G64G208-YBUVA1634&keyword=Yourfile&ip=115.118.240.109&sub=22697095&source=157764 https://savetitaniumapp.monster/?t=d6ebff4d554677320244f60589926b97 https://loadpremiumapp.monster/?t=74fddba44e47538821a2796e12191868 https://mega.nz/file/JG9nHAjQ#xYoJHxAy_mP1KlZC-m2P-UgPzXiHiH6XA0QQn62sseY |
Hash | 00001c98e08fa4d7f4924bd1c375149104bd4f1981cef604755d34ca225f2ce1
000e75287631a93264d11fc2b773c61992664277386f45fa19897a095e6a7c81
52c606609dab25cdd43f831140d7f296d89f9f979e00918f712018e8cc1b6750
00539e997eb6ae5f6f7cb050c3486a6dfb901b1268c13bdfeeec5b776bf81c1e
0047d7a61fd9279c9fba9a604ed892e4ec9d732b10c6562aab1938486a538b7d |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 | userdomainname like "https://gitb.org/watch-click/?=archive" or url like "https://gitb.org/watch-click/?=archive" or userdomainname like "https://viralxgo.com/watch-full-video/" or url like "https://viralxgo.com/watch-full-video/" or userdomainname like "https://purecopperapp.monster/indexind.php?flow_id=107&aff_click_id=D-21356743-1737975550-34G123G137G124-AITLS2195&keyword=Yourfile&ip=115.118.240.109&sub=22697121&source=157764" or url like "https://purecopperapp.monster/indexind.php?flow_id=107&aff_click_id=D-21356743-1737975550-34G123G137G124-AITLS2195&keyword=Yourfile&ip=115.118.240.109&sub=22697121&source=157764" or userdomainname like "https://wlanpremiumapp.monster/indexind.php?flow_id=107&aff_click_id=D-21356743-1739353595-34G134G64G208-YBUVA1634&keyword=Yourfile&ip=115.118.240.109&sub=22697095&source=157764" or url like "https://wlanpremiumapp.monster/indexind.php?flow_id=107&aff_click_id=D-21356743-1739353595-34G134G64G208-YBUVA1634&keyword=Yourfile&ip=115.118.240.109&sub=22697095&source=157764" or userdomainname like "https://savetitaniumapp.monster/?t=d6ebff4d554677320244f60589926b97" or url like "https://savetitaniumapp.monster/?t=d6ebff4d554677320244f60589926b97" or userdomainname like "https://loadpremiumapp.monster/?t=74fddba44e47538821a2796e12191868" or url like "https://loadpremiumapp.monster/?t=74fddba44e47538821a2796e12191868" or userdomainname like "https://mega.nz/file/JG9nHAjQ#xYoJHxAy_mP1KlZC-m2P-UgPzXiHiH6XA0QQn62sseY" or url like "https://mega.nz/file/JG9nHAjQ#xYoJHxAy_mP1KlZC-m2P-UgPzXiHiH6XA0QQn62sseY" |
Detection Query 2 | sha256hash IN ("00001c98e08fa4d7f4924bd1c375149104bd4f1981cef604755d34ca225f2ce1","00539e997eb6ae5f6f7cb050c3486a6dfb901b1268c13bdfeeec5b776bf81c1e","000e75287631a93264d11fc2b773c61992664277386f45fa19897a095e6a7c81","52c606609dab25cdd43f831140d7f296d89f9f979e00918f712018e8cc1b6750","0047d7a61fd9279c9fba9a604ed892e4ec9d732b10c6562aab1938486a538b7d") |
Reference:
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/the-dark-side-of-clickbait-how-fake-video-links-deliver-malware/