-
Notifications
You must be signed in to change notification settings - Fork 11
/
2021-07-29-IOCs-for-BazarLoader-CobaltStrike-PrintNightmare.txt
81 lines (51 loc) · 3.13 KB
/
2021-07-29-IOCs-for-BazarLoader-CobaltStrike-PrintNightmare.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
2021-07-29 (THURSDAY) - STOLEN IMAGES EVIDENCE.ZIP --> BAZARLOADER --> COBALT STRIKE --> PRINTNIGHTMARE
REFERENCE:
- https://twitter.com/Unit42_Intel/status/1421117403644186629
NOTES:
- We have evidence of this campaign starting as early as November 2020.
- This campaign previously pushed IcedID (Bokbot) malware as described here:
https://www.microsoft.com/security/blog/2021/04/09/investigating-a-unique-form-of-email-delivery-for-icedid-malware/
- This campaign switched to from IcedID and began pushing BazarLoader in early July 2021. Reference:
https://twitter.com/malware_traffic/status/1412470165179092992
- We continue to see BazarLoader from this campaign followed with Cobalt Strike, which can lead to other malicious activity as seen here.
CHAIN OF EVENTS:
- Email --> Link --> Stolen Images Evidence.zip --> Stolen Images Evidence.js --> BazarLoader DLL --> Bazar C2 traffic -->
Cobalt Strike --> follow-up malware including PrintNightmare
DOWNLOADED ZIP AND EXTRACTED .JS FILE:
- b2a996a9301cdb9f19dec6105880aa5530758cc29347c389de48c15728cad25d Stolen Images Evidence.zip
- 88d4d3f48bd23543980b70b5a78606d80c2917bfcd960991eb9a8ddf6ac58ed2 Stolen Images Evidence.js
BAZARLOADER DLL:
- SHA256 hash: 37065b2a4cdaec2b1a260b39738746cb45895bd6d508e7aa5e4013e94abc6196
- Location: C:\Users\[username]\AppData\Local\Temp\miFrRGoM.dat
- Run method: rundll32.exe [filename],StartW
COBALT STRIKE BINARIES:
- SHA256 hash: bab8196c3630b25a0dc1c21303881e0dc4d1f560655b7f86e6986c9eb84ae946
- Location: C:\Users\[username]\Downloads\162_64.exe
- SHA256 hash: 087153ed5bb9bb9807e37a8fd745a16a634497a842896f232ab4cfb54197ba00
- Location: C:\Users\[username]\Downloads\162_64.dll
- Run method: regsvr32.exe 162_64.dll
POWERSHELL SCRIPT FOR PRINTNIGHTMARE:
- SHA256 hash: a1e737140c474872759add27ef45f0d9772fcb32c48aabd82d6d4055ccbfafb9
- Location: C:\Users\[username]\Downloads\1675.ps1
OTHER FILES MALICIOUS FILES:
- SHA256 hash: 51ddba2bfdccb9ae4e640ae2fa67594e51cc4303a2e8cefe5afde33cc2a37976
- Location: C:\Users\[username]\Downloads\starterO.exe
- SHA256 hash: b3af3e97b503df85ee940044eb64ad482698bde256feee054d97879eac53780b
- Location: C:\Users\[username]\Downloads\starterOF.exe
TRAFFIC GENERATED BY STOLEN IMAGES EVIDENCE.JS:
- 172.67.181[.]157 port 80 - munardis[.]space - GET /222g100/index.php HTTP/1.1
- 172.67.181[.]157 port 80 - munardis[.]space - GET /222g100/main.php HTTP/1.1
BAZAR C2 TRAFFIC:
- hxxps://195.123.233[.]106/anchor/south
- hxxps://13.52.241[.]196/anchor/south
COBALT STRIKE TRAFFIC:
- 31.14.40[.]172 port 443 - postformt[.]com - Client Hello (HTTPS traffic)
- 162.244.80[.]46 port 80 - loikdo[.]com - GET /components/mt.ico HTTP/1.1
- 162.244.80[.]46 port 80 - loikdo[.]com - GET /copyright.js?terms=false HTTP/1.1
- 162.244.80[.]46 port 80 - loikdo[.]com - POST /xmlconnect HTTP/1.1 (text/plain)
NOTES:
- postformt[.]com reported as Cobalt Stike by @mojoesec on 2021-07-20 at:
https://twitter.com/mojoesec/status/1417574273988931585
- loikdo[.]com reported as Cobalt Stike by @mojoesec on 2021-07-29 at:
https://twitter.com/bryceabdo/status/1420839047426084869
But HTTP traffic patterns also indicate this is Cobalt Strike.