{ "Event": { "analysis": "0", "date": "2023-03-16", "extends_uuid": "", "info": "BatLoader Continues to Abuse Google Search Ads to Deliver Vidar Stealer and Ursnif", "publish_timestamp": "1713171981", "published": true, "threat_level_id": "2", "timestamp": "1679499354", "uuid": "196cf336-896a-4cc1-9aa9-3480ecd9cf27", "Orgc": { "name": "Centre for Cyber security Belgium", "uuid": "5cf66e53-b5f8-43e7-be9a-49880a3b4631" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#086200", "local": false, "name": "admiralty-scale:source-reliability=\"c\"", "relationship_type": "" }, { "colour": "#11d000", "local": false, "name": "admiralty-scale:information-credibility=\"3\"", "relationship_type": "" }, { "colour": "#bd8c8c", "local": false, "name": "Ursnif", "relationship_type": "" }, { "colour": "#9258A7", "local": false, "name": "Vidar", "relationship_type": "" }, { "colour": "#ff3bf0", "local": false, "name": "VidarStealer", "relationship_type": "" }, { "colour": "#c42094", "local": false, "name": "batloader", "relationship_type": "" }, { "colour": "#00223b", "local": false, "name": "osint:source-type=\"blog-post\"", "relationship_type": "" }, { "colour": "#D6064D", "local": false, "name": "Python", "relationship_type": "" }, { "colour": "#006980", "local": false, "name": "stone:malware-categorization=\"Loader\"", "relationship_type": "" }, { "colour": "#add1d0", "local": false, "name": "malware_advertising", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Network Traffic Capture or Redirection - T1410\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Command and Scripting Interpreter - T1059\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Scripting - T1064\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-malware=\"Ursnif - S0386\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sigma-rules=\"Ursnif\"", "relationship_type": "" }, { "colour": "#1f2325", "local": false, "name": "misp-galaxy:malpedia=\"vidar\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:stealer=\"Vidar\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\"", "relationship_type": "" } ], "Attribute": [ { "category": "Payload delivery", "comment": "Vidar", "deleted": false, "disable_correlation": false, "timestamp": "1679316559", "to_ids": true, "type": "md5", "uuid": "fbf3a94e-265c-4742-8765-42f4dee9a68a", "value": "3db1edc5b5550f54abdcb5520cf91d75" }, { "category": "Payload delivery", "comment": "Ursnif", "deleted": false, "disable_correlation": false, "timestamp": "1679316560", "to_ids": true, "type": "md5", "uuid": "e476f444-5413-4a50-8389-1942bdf0828f", "value": "0cb75b1192b23b8e03d955f1156ad19e" }, { "category": "Payload delivery", "comment": "Ursnif", "deleted": false, "disable_correlation": false, "timestamp": "1679316560", "to_ids": true, "type": "md5", "uuid": "da48fa1c-e72b-492c-aee0-618e3c0c3a41", "value": "85fbc743bb686688ce05cf3289507bf7" }, { "category": "Payload delivery", "comment": "AdobeSetup.msi (BatLoader)", "deleted": false, "disable_correlation": false, "timestamp": "1679316560", "to_ids": true, "type": "md5", "uuid": "b89500da-16e3-4afc-a304-197204594ca0", "value": "11ae3dabdb2d2458da43558f36114acb" }, { "category": "Payload delivery", "comment": "AdobeSetup.msi (BatLoader)", "deleted": false, "disable_correlation": false, "timestamp": "1679316560", "to_ids": true, "type": "md5", "uuid": "85e8cec6-63f7-44c6-8493-87efa0b28da1", "value": "9ebbe0a1b79e6f13bfca014f878ddeec" }, { "category": "Network activity", "comment": "BatLoader C2", "deleted": false, "disable_correlation": false, "timestamp": "1679316560", "to_ids": true, "type": "domain", "uuid": "463c4efd-3a62-4e8f-8a59-ada9b67d63e1", "value": "shvarcnegerhistory.com" }, { "category": "Network activity", "comment": "BatLoader C2", "deleted": false, "disable_correlation": false, "timestamp": "1679316560", "to_ids": true, "type": "domain", "uuid": "ff9a5935-7612-4689-9697-c211271ce798", "value": "pixelarmada.su" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1679316560", "to_ids": true, "type": "domain", "uuid": "3d3d8c59-933e-480f-865a-47ecfd490f2e", "value": "uelcoskdi.ru" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1679316825", "to_ids": false, "type": "domain", "uuid": "45dc2de9-9c07-4ed3-ac8c-4e7822b2e776", "value": "iujdhsndjfks.ru" }, { "category": "Network activity", "comment": "Ursnif C2", "deleted": false, "disable_correlation": false, "timestamp": "1679316560", "to_ids": true, "type": "domain", "uuid": "3a1e62d1-bf68-4356-ad04-a457f86bcb12", "value": "isoridkf.ru" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1679316560", "to_ids": true, "type": "domain", "uuid": "d45879c9-4bb9-46a4-9758-b9fdf54a559d", "value": "gameindikdowd.ru" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1679316831", "to_ids": false, "type": "domain", "uuid": "11df1b95-2879-499b-a6e2-ddc9e23d59b3", "value": "jhgfdlkjhaoiu.su" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1679316560", "to_ids": true, "type": "domain", "uuid": "5998047d-94c4-42c2-8d93-ab739aa0097f", "value": "reggy506.ru" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1679316560", "to_ids": true, "type": "domain", "uuid": "59e45cab-2814-42f4-a699-f5c37e90fa9d", "value": "reggy914.ru" }, { "category": "Network activity", "comment": "Suspected BatLoader Domains Registered in February 2023", "deleted": false, "disable_correlation": false, "timestamp": "1679316630", "to_ids": true, "type": "domain", "uuid": "c4ba0178-316f-40c3-bf9e-86d2350fdd15", "value": "chatgpt-t.com" }, { "category": "Network activity", "comment": "Suspected BatLoader Domains Registered in February 2023", "deleted": false, "disable_correlation": false, "timestamp": "1679316631", "to_ids": true, "type": "domain", "uuid": "58971541-b286-4a13-a6e5-b7567c4db9dd", "value": "zoomvideor.com" }, { "category": "Network activity", "comment": "Suspected BatLoader Domains Registered in February 2023", "deleted": false, "disable_correlation": false, "timestamp": "1679316631", "to_ids": true, "type": "domain", "uuid": "8e535007-62fc-4cd0-8fd7-7365c6fdc5ac", "value": "adobe-l.com" }, { "category": "Network activity", "comment": "Suspected BatLoader Domains Registered in February 2023", "deleted": false, "disable_correlation": false, "timestamp": "1679316631", "to_ids": true, "type": "domain", "uuid": "3e0017b3-b1f3-4905-81a3-fdd887289f67", "value": "freecad-l.com" }, { "category": "Network activity", "comment": "Suspected BatLoader Domains Registered in February 2023", "deleted": false, "disable_correlation": false, "timestamp": "1679316631", "to_ids": true, "type": "domain", "uuid": "ce56e498-c2c3-4f31-9201-f6da1ca3aeea", "value": "microso-t.com" }, { "category": "Network activity", "comment": "Suspected BatLoader Domains Registered in February 2023", "deleted": false, "disable_correlation": false, "timestamp": "1679316631", "to_ids": true, "type": "domain", "uuid": "7467cb77-71c0-49b2-9a9f-4f5325c348b0", "value": "spotify-uss.com" }, { "category": "Network activity", "comment": "Suspected BatLoader Domains Registered in February 2023", "deleted": false, "disable_correlation": false, "timestamp": "1679316631", "to_ids": true, "type": "domain", "uuid": "4f28a958-a1be-4ab9-b124-4fa26816a1d4", "value": "quickbooks-q.com" }, { "category": "Network activity", "comment": "Suspected BatLoader Domains Registered in February 2023", "deleted": false, "disable_correlation": false, "timestamp": "1679316631", "to_ids": true, "type": "domain", "uuid": "952ed163-c947-4f3b-a0b4-066f22a5c101", "value": "java-s.com" }, { "category": "Network activity", "comment": "Suspected BatLoader Domains Registered in February 2023", "deleted": false, "disable_correlation": false, "timestamp": "1679316631", "to_ids": true, "type": "domain", "uuid": "f0dc8e12-f0c3-4b0a-bf2d-8fb3a4992df4", "value": "adobe-e.com" }, { "category": "Network activity", "comment": "Suspected BatLoader Domains Registered in February 2023", "deleted": false, "disable_correlation": false, "timestamp": "1679316631", "to_ids": true, "type": "domain", "uuid": "43b0d274-b672-4f39-ad1e-7dbd58d2f139", "value": "anydesk-o.com" }, { "category": "Network activity", "comment": "Suspected BatLoader Domains Registered in February 2023", "deleted": false, "disable_correlation": false, "timestamp": "1679316631", "to_ids": true, "type": "domain", "uuid": "640f8681-54dd-4c8c-b730-fddcaab4d6f6", "value": "anydesk-r.com" }, { "category": "Network activity", "comment": "Suspected BatLoader Domains Registered in February 2023", "deleted": false, "disable_correlation": false, "timestamp": "1679316631", "to_ids": true, "type": "domain", "uuid": "810fc6a1-2b6c-4208-853a-02a10a0d5b70", "value": "java-r.com" }, { "category": "Network activity", "comment": "Suspected BatLoader Domains Registered in February 2023", "deleted": false, "disable_correlation": false, "timestamp": "1679316631", "to_ids": true, "type": "domain", "uuid": "695d965e-ceb1-45a6-bf6b-d4ebb42706f8", "value": "tableau-r.com" }, { "category": "Network activity", "comment": "Suspected BatLoader Domains Registered in February 2023", "deleted": false, "disable_correlation": false, "timestamp": "1679316631", "to_ids": true, "type": "domain", "uuid": "a2e5977a-53c8-40ce-9843-32a336b560b1", "value": "java-a.com" }, { "category": "Network activity", "comment": "Suspected BatLoader Domains Registered in February 2023", "deleted": false, "disable_correlation": false, "timestamp": "1679316631", "to_ids": true, "type": "domain", "uuid": "a70561bf-d266-4235-83af-29a5a001d50a", "value": "basecamp-a.com" }, { "category": "Network activity", "comment": "Suspected BatLoader Domains Registered in February 2023", "deleted": false, "disable_correlation": false, "timestamp": "1679316631", "to_ids": true, "type": "domain", "uuid": "280b98dc-3009-41dc-907f-65ab2421cb16", "value": "adobe-a.com" }, { "category": "Network activity", "comment": "Suspected BatLoader Domains Registered in February 2023", "deleted": false, "disable_correlation": false, "timestamp": "1679316631", "to_ids": true, "type": "domain", "uuid": "744a2a1e-dd30-49e8-a496-1d0f759f1498", "value": "visualstudio-t.com" }, { "category": "Network activity", "comment": "Suspected BatLoader Domains Registered in February 2023", "deleted": false, "disable_correlation": false, "timestamp": "1679316631", "to_ids": true, "type": "domain", "uuid": "cdd393cc-9a65-48b1-8644-65d98444c209", "value": "openoffice-a.com" }, { "category": "Network activity", "comment": "Suspected BatLoader Domains Registered in February 2023", "deleted": false, "disable_correlation": false, "timestamp": "1679316631", "to_ids": true, "type": "domain", "uuid": "c834b1ec-e4e4-4623-91db-837edfcd893d", "value": "bitwarden-t.com" }, { "category": "Network activity", "comment": "Suspected BatLoader Domains Registered in February 2023", "deleted": false, "disable_correlation": false, "timestamp": "1679316631", "to_ids": true, "type": "domain", "uuid": "db709a22-984a-4b53-9831-10d85e6ea1a5", "value": "gimp-t.com" } ], "Object": [ { "comment": "", "deleted": false, "description": "An annotation object allowing analysts to add annotations, comments, executive summary to a MISP event, objects or attributes.", "meta-category": "misc", "name": "annotation", "template_uuid": "5d8dc046-15a1-4ca3-a09f-ed4ede7c4487", "template_version": "3", "timestamp": "1679493556", "uuid": "807dc88d-0d30-4690-ac1d-a131192f1d13", "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ref", "timestamp": "1679316932", "to_ids": false, "type": "link", "uuid": "2e97d257-caca-44fd-bf45-bad80fb8e9eb", "value": "https://www.esentire.com/blog/batloader-continues-to-abuse-google-search-ads-to-deliver-vidar-stealer-and-ursnif" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "text", "timestamp": "1679493556", "to_ids": false, "type": "text", "uuid": "014060f6-c423-46e3-abf2-242e69470f8a", "value": "In December, we published a summary of BatLoader activity whereby Google Search Ads were used to impersonate software such as WinRAR to deliver malicious Windows Installer files. The installer files contained custom action commands which used PowerShell to download and execute payloads (Redline Stealer, Ursnif, etc.) hosted on legitimate websites.\r\n\r\nThroughout February 2023, TRU has observed a series of newly registered websites impersonating various applications and brands. Included among these are:\r\n\r\nChatGPT (chatgpt-t[.]com)\r\nZoom (zoomvideor[.]com)\r\nSpotify (spotify-uss[.]com)\r\nTableau (tableau-r[.]com)\r\nAdobe (adobe-l[.]com)\r\nIn addition to comparable domain registration attributes, these websites tend to follow a similar naming convention where one or more characters are appended to the impersonated brand name (e.g., adobe-l[.]com vs adobe.com). These sites were used to host imposter download pages and all likely stem from malicious advertisements on Google Search Ads. A more complete list can be found at the end of this post.\r\n\r\nBatLoader continues to see changes and improvement since it first emerged in 2022. Recent samples analyzed by TRU utilize Windows Installer files masquerading as the above applications to launch embedded Python scripts." }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "type", "timestamp": "1679316932", "to_ids": false, "type": "text", "uuid": "4696fac5-5ed8-4123-9079-c8f1ab35ac67", "value": "Introduction" } ] } ] } }