Users in question:
a) Recently they both started posting (after a lengthy hiatus) multiple threads across different boards (including local boards).
b) I scanned the link of the service (Mammon) that they were promoting but nothing came up on virustotal and other similar website.
c) Then I checked the included YouTube link (only some of the threads have it). I noticed there's a different link (original one) on the description of the video than the one given on these new threads.
d) So I searched for the original thread and found it:
Mammon - Desktop Ticker Price Trackere) Then I went over the other given links (from the above two users) and surprisingly, they included "
this Medium link (explains the cryptojacking part)".
- That was the strange part since it pushed me to look deeper and I end up finding the following connection:
- I looked for other virustotal's alternatives and found "ReScan.pro" (result).
- The above screenshot (result), only shows half of the link but if you go to "RedirectDetective" and paste the link address from "mammon (Download Mac App v0.2.9 button)", it "shows" that it's the exact same link (redirects) from the original website (teamfox [Download Mac App v0.2.8 button]).
Conclusion:- The above results shows the connection between "
seniorhuman,
Rockford99 and
rcocchiararo" and if we take the above "
Medium" link into consideration, then these three users have spread malware (cryptojacking) across different boards and need to be punished.
This thread serves as a reference for my report.
UpdateAnother one:
Pilippe - (
Latest posts)