Another day, another wave of malware. Although there’s plenty to find, I’ve been focusing on BazarLoader as it comes through various distribution channels. One such channel is the “Stolen Images Evidence” campaign, which Microsoft describes here. This campaign was pushing IcedID as we entered 2021, but it switched to BazarLoader as early as July 2021.
The “Stolen Images Evidence” campaign uses emails generated through contact forms on various websites. So these messages don’t originate through normal spam methods. They appear through contact form submissions describing a copyright violation to the intended victim. These form-submitted messages include a Google firebase storage URL in the message text. This malicious link supposedly provides proof of stolen images that resulted in a copyright violation.
Shown above: Lnk from a copyright violation-themed form submission-generated email.
Downloaded zip archives
Shown above: Example of a downloaded zip archive and extracted .js file.
BazarLoader from the JS file
Shown above: BazarLoader DLL stored to an infected Windows host.
Infection traffic is typical for what we normally see with BazarLoader.
Shown above: Traffic from an infection filtered in Wireshark.
Indicators of Compromise (IOCs)
The following is malware retrieved from an infected Windows host.
SHA256 hash: c1cc9ec32368165e6625b2e2623ac0c3ca69bfa63a5b11e82a09bf18f6bd6410
- File size: 4,763 bytes
- File name: Stolen Images Evidence.zip
- File description: zip archive downloaded after clicking Google Firebase Storage link
SHA256 hash: 5a22e9bde5aaed03b323e5c933c473e9ba3831f4473790a3d4394baefe809d8a
- File size: 15,755 bytes
- File name: Stolen Images Evidence.js
- File description: JS file extracted from the above zip archive
SHA256 hash: dcf67fd6bfb62bea66f5e45d871d6c15b0c61d85c5fa9e9ded03e57f83dfc814
- File size: 203,281 bytes
- File location: hxxp://mabiorex[.]space/333g100/main.php
- File location: C:Users[username]AppDataLocalTempmotHf.dat
- File description: BazarLoader DLL retreived by the above JS file
- Run method: rundll32.exe [filename],StartW
Google Firebase URL used to deliver the malicious zip archive:
Malicious domain called when using the above Google Firebase URL:
- 172.67.145[.]134 port 443 – zvanij[.]space – HTTPS traffic
- 188.8.131.52 port 80 – mabiorex[.]space – GET /333g100/index.php
- 184.108.40.206 port 80 – mabiorex[.]space – GET /333g100/main.php
Bazar C2 traffic:
The associated malware samples have been submitted to bazaar.abuse.ch, and they’re available using links from the above SHA256 hashes.
This campaign uses “Stolen Images Evidence” and copyright violation as its primary theme. However, it also used a “DDoS attack proof” theme last month. Either way, this campaign has been fairly active in 2021, and we expect it to continue throughout the rest of this year. It will probably continue into 2022 as well.
brad [at] malware-traffic-analysis.net
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.