Thread | Brutkey

@cR0w@infosec.exchange I'm not too worried about tipping them off at this point. I initially was keeping the indicators to trust communities but if they are monitoring, they're sloppy. I was actively adding their hosts to the Phishing Database project for more than a year, which feeds into VirusTotal, without noticing any major changes to their tactics. Using the Diamond Model and looking at the victims, which consistently target South African universities, leads me to suspect (with low confidence) that it is something similar to the Black Ax out of West Africa. My school has a decent number of Cameroonian students, including the accounts that initially caught my suspicion.

cR0w
@cR0w@infosec.exchange

@0xfeedc0fe@infosec.exchange I'll pass it on but I'm already away from my workstation for the weekend.

0xfeedc0fe
@0xfeedc0fe@infosec.exchange

@cR0w@infosec.exchange no rush. I've been toying with them for 2 years now =D

cR0w
@cR0w@infosec.exchange

@0xfeedc0fe@infosec.exchange Oh damn. The patient long game.

0xfeedc0fe
@0xfeedc0fe@infosec.exchange

@cR0w@infosec.exchange I used them as a practical exercise to find my way towards CTI & threat research. I had no clue what I was doing when I started and ended up with a VT crazy wall until I realized I could focus on the image host. These days, I'm more interested in finding malware to work with but still try to keep an eye on what this cluster is doing. Kind of tempted to try to package this for a CFP to show others that it's possible to have an impact even from outside of industry. Also, useful hack for getting around the 5 years of experience that many HR teams add to entry level job listings.

cR0w
@cR0w@infosec.exchange

@0xfeedc0fe@infosec.exchange That's a nice way to sidestep that HR crap. Well done.

0xfeedc0fe
@0xfeedc0fe@infosec.exchange

@cR0w@infosec.exchange just a quick follow up with some recent samples. danmartin[.]ro was the previous host. https://github.com/Phishing-Database/phishing/pull/869 includes a list of urlscan results

catenacciovintage[.]com is the current host https://github.com/Phishing-Database/phishing/pull/878

it looks like they're primarily targeting South Africa at the moment but I wouldn't be surprised to see a shift to .edu domains in some of the lures over the coming weeks as the fall semester starts.

cR0w
@cR0w@infosec.exchange

@0xfeedc0fe@infosec.exchange Nice. Worth keeping an eye on for sure.