PacketWatch uses Validin threat intelligence inside WireSight to identify malicious traffic, pivot into related infrastructure, and uncover additional indicators of compromise tied to the LandUpdate808 and SmartApeSG campaigns. The investigation traces a malicious visit to cpajoliette[.]com, a ClickFix-delivered JavaScript chain, and a wider cluster of newly discovered .top domains and IP addresses used for SEO abuse and threat actor infrastructure. #Validin #PacketWatch #WireSight #LandUpdate808 #SmartApeSG #cpajoliettecom #bronzewhispertop
Keypoints
- PacketWatch integrates Validin Threat Feed and enrichment data into the WireSight console to flag malicious sessions and speed up investigation.
- A WireSight query identified outbound traffic to 172.67.156[.]216 and cpajoliette[.]com, with Validin marking the session as malicious.
- Lens Tool and Validin data linked the hostname to the LandUpdate808 fake software update campaign and Maltrail reputation tagging.
- SANS ISC reporting showed that cpajoliette[.]com had hosted malicious JavaScript d.js, associated with SmartApeSG and a ClickFix delivery flow.
- Pivots in Validin uncovered related infrastructure, including bronzewhisper[.]top, sharpfield[.]top, and multiple newly registered .top domains and IPs.
- Meta-description, favicon, and body-hash pivots helped expand the hunt to additional infrastructure likely tied to the same campaign cluster.
- PacketWatch then searched historical WireSight telemetry for the newly found IOCs and found matches, enabling further response and detection improvements.
MITRE Techniques
- [T1071.001 ] Web Protocols – The campaign used web traffic and JavaScript delivery through normal browser-accessed sites and redirects (‘the request immediately redirects to a new domain and JavaScript file’).
- [T1105 ] Ingress Tool Transfer – The malicious JavaScript and loader were delivered from remote infrastructure to the victim environment (‘the domain previously hosted a malicious JavaScript file, d.js’ and ‘this code functions as a ClickFix loader’).
- [T1059.001 ] PowerShell – Analysts were advised to check for suspicious PowerShell activity after the ClickFix lure (‘review endpoint logs for suspicious cmd.exe or PowerShell commands’).
- [T1059.003 ] Windows Command Shell – Analysts were advised to inspect cmd.exe activity in the suspected execution window (‘review endpoint logs for suspicious cmd.exe or PowerShell commands’).
- [T1204.001 ] Malicious Link – The threat used ClickFix prompts and website content to trick users into taking action (‘The report also shows that the domain leveraged a ClickFix prompt to trick users into downloading malware’).
- [T1583.001 ] Domains – Threat actors registered and used multiple domains for campaign infrastructure (‘recently registered domains’ and ‘additional domain IOCs’).
- [T1583.004 ] Cloud Service – Infrastructure was hosted behind Cloudflare and other cloud services (‘the IP address belongs to Cloudflare’ and ‘now resolves to a different Cloudflare IP address’).
- [T1595 ] Active Scanning – The article describes querying and hunting across session data and infrastructure to identify related hosts (‘query the client’s WireSight session data’ and ‘expand threat hunts’).
- [T1027 ] Obfuscated Files or Information – The JavaScript loader was described as obfuscated and required deobfuscation (‘Deobfuscating and analyzing this JavaScript is beyond the scope of this article’).
- [T1588.001 ] Obtain Capabilities: Malware – The infrastructure delivered malware through the ClickFix chain (‘trick users into downloading malware’).
Indicators of Compromise
- [IP address ] Malicious session and pivoted infrastructure – 172.67.156[.]216, 178.156.219[.]224, and other IPs used in related hosting
- [Domain names ] Core campaign domains and pivots – cpajoliette[.]com, bronzewhisper[.]top, sharpfield[.]top, and other related .top domains
- [Domain names ] Newly uncovered related infrastructure – crimsonterrace[.]top, coralmanor[.]top, ivorycourtyard[.]top, and other new domains
- [File names ] Malicious or loader JavaScript referenced in the investigation – d.js, tenant-asset[.]js
- [File hashes ] Pivotable content fingerprints used to find related sites – c06768826d06adfea5f86c63fcb01c21c8d67e0f, e3a46f20be728d46dac88ec757345713
- [ASN ] Shared hosting infrastructure for related domains – AS213230 (HETZNER-CLOUD2-AS), used by several suspicious .top domains
Read more: https://www.validin.com/blog/packetwatch_validin/