MVISION Insights: Stolen Images Evidence Campaign Drops BazarLoader

Technical Articles ID: KB95152
Last Modified: 1/13/2022

Environment

IMPORTANT: This Knowledge Base article discusses a specific threat that is being automatically tracked by MVISION Insights technology. The content is intended for use by MVISION Insights users, but is provided for general knowledge to all customers. Contact us for more information about MVISION Insights.

Summary

Description of Campaign
The Stolen Images Evidence campaign switched from infecting Microsoft Windows devices with IcedID to pushing BazarLoader. The malicious software was delivered through an email campaign with a link directing victims to a website hosted on Google Firebase. The emails were generated through contact forms on various websites and attempted to convince users by claiming the messages were due to copyright violations.

The McAfee Enterprise ATR Team gathers and analyzes information from multiple open and closed sources before disseminating intelligence reports.
This campaign was researched by ISC and shared publicly here.

How to use this article:

If a Threat Hunting table has been created, use the rules contained to search for malware related to this campaign.
Review the product detection table and confirm that your environment is at least on the specified content version.
To download the latest content versions, go to the Security Updates page.
Scroll down and review the "Product Countermeasures" section of this article. Consider implementing them if they are not already in place.
Review KB91836 - Countermeasures for entry vector threats.
Review KB87843 - Dynamic Application Containment rules and best practices.
Review KB82925 - Identify what rule corresponds to an Adaptive Threat Protection and Threat Intelligence Exchange event.

This Knowledge Base article discusses a specific threat that is being tracked. The list of IOCs will change over time; check MVISION Insights for the latest IOCs.

Campaign IOC

Type	Value
SHA256	C1CC9EC32368165E6625B2E2623AC0C3CA69BFA63A5B11E82A09BF18F6BD6410
SHA256	5A22E9BDE5AAED03B323E5C933C473E9BA3831F4473790A3D4394BAEFE809D8A
SHA256	DCF67FD6BFB62BEA66F5E45D871D6C15B0C61D85C5FA9E9DED03E57F83DFC814
URL	http://mabiorex.space/333g100/main.php
URL	https://firebasestorage.googleapis.com/v0/b/app9-96feb.appspot.com/o/d-03rfdsbknu.html?alt=media&token=f7fc9a25-71b6-424d-aaf7-208fb11c27dd&f=025239220255728020
URL	https://194.15.113.160/workdir/tasks/run/handle
URL	https://198.244.180.69/workdir/tasks/run/handle
URL	https://89.41.182.134/workdir/tasks/run/handle
URL	https://172.83.155.144/workdir/tasks/run/handle
IP-DST	172.67.145.134
IP-DST	104.21.10.6
DOMAIN	zvanij.space
DOMAIN	mabiorex.space

Minimum Content Versions:

Content Type	Version
V2 DAT (VirusScan Enterprise)	10115
V3 DAT (Endpoint Security)	4568

Detection Summary

IOC	Scanner	Detection
C1CC9EC32368165E6625B2E2623AC0C3CA69BFA63A5B11E82A09BF18F6BD6410	AVEngine V2	JS/Downloader.et
	AVEngine V3	JS/Downloader.et
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
5A22E9BDE5AAED03B323E5C933C473E9BA3831F4473790A3D4394BAEFE809D8A	AVEngine V2	JS/Downloader.et
	AVEngine V3	JS/Downloader.et
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
DCF67FD6BFB62BEA66F5E45D871D6C15B0C61D85C5FA9E9DED03E57F83DFC814	AVEngine V2	Bazar-FTWR!51FB9BBECF30
	AVEngine V3	Bazar-FTWR!51FB9BBECF30
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

Affected Products

MVISION Insights

Knowledge Center

MVISION Insights: Stolen Images Evidence Campaign Drops BazarLoader

Environment

Summary

Affected Products

Title

Title

Knowledge Center

MVISION Insights: Stolen Images Evidence Campaign Drops BazarLoader

Environment

Summary

Affected Products

Choose your region

Title

Title