Created 2021-07-29-IOCs-for-BazarLoader-CobaltStrike-PrintNightmare.txt

2021-07-29-IOCs-for-BazarLoader-CobaltStrike-PrintNightmare.txt

@@ -0,0 +1,81 @@
+2021-07-29 (THURSDAY) - STOLEN IMAGES EVIDENCE.ZIP --> BAZARLOADER --> COBALT STRIKE --> PRINTNIGHTMARE
+
+REFERENCE:
+
+- https://twitter.com/Unit42_Intel/status/1421117403644186629
+
+NOTES:
+
+- We have evidence of this campaign starting as early as November 2020.
+
+- This campaign previously pushed IcedID (Bokbot) malware as described here:
+  https://www.microsoft.com/security/blog/2021/04/09/investigating-a-unique-form-of-email-delivery-for-icedid-malware/
+
+- This campaign switched to from IcedID and began pushing BazarLoader in early July 2021.  Reference:
+  https://twitter.com/malware_traffic/status/1412470165179092992
+
+- We continue to see BazarLoader from this campaign followed with Cobalt Strike, which can lead to other malicious activity as seen here.
+
+CHAIN OF EVENTS:
+
+- Email --> Link --> Stolen Images Evidence.zip --> Stolen Images Evidence.js --> BazarLoader DLL --> Bazar C2 traffic --> 
+  Cobalt Strike --> follow-up malware including PrintNightmare
+
+DOWNLOADED ZIP AND EXTRACTED .JS FILE:
+
+- b2a996a9301cdb9f19dec6105880aa5530758cc29347c389de48c15728cad25d  Stolen Images Evidence.zip
+- 88d4d3f48bd23543980b70b5a78606d80c2917bfcd960991eb9a8ddf6ac58ed2  Stolen Images Evidence.js
+
+BAZARLOADER DLL:
+
+- SHA256 hash: 37065b2a4cdaec2b1a260b39738746cb45895bd6d508e7aa5e4013e94abc6196
+- Location: C:\Users\[username]\AppData\Local\Temp\miFrRGoM.dat
+- Run method: rundll32.exe [filename],StartW
+
+COBALT STRIKE BINARIES:
+
+- SHA256 hash: bab8196c3630b25a0dc1c21303881e0dc4d1f560655b7f86e6986c9eb84ae946
+- Location: C:\Users\[username]\Downloads\162_64.exe
+
+- SHA256 hash: 087153ed5bb9bb9807e37a8fd745a16a634497a842896f232ab4cfb54197ba00
+- Location: C:\Users\[username]\Downloads\162_64.dll
+- Run method: regsvr32.exe 162_64.dll
+
+POWERSHELL SCRIPT FOR PRINTNIGHTMARE:
+
+- SHA256 hash: a1e737140c474872759add27ef45f0d9772fcb32c48aabd82d6d4055ccbfafb9
+- Location: C:\Users\[username]\Downloads\1675.ps1
+
+OTHER FILES MALICIOUS FILES:
+
+- SHA256 hash: 51ddba2bfdccb9ae4e640ae2fa67594e51cc4303a2e8cefe5afde33cc2a37976
+- Location: C:\Users\[username]\Downloads\starterO.exe
+
+- SHA256 hash: b3af3e97b503df85ee940044eb64ad482698bde256feee054d97879eac53780b
+- Location: C:\Users\[username]\Downloads\starterOF.exe
+
+TRAFFIC GENERATED BY STOLEN IMAGES EVIDENCE.JS:
+
+- 172.67.181[.]157 port 80 - munardis[.]space - GET /222g100/index.php HTTP/1.1
+- 172.67.181[.]157 port 80 - munardis[.]space - GET /222g100/main.php HTTP/1.1
+
+BAZAR C2 TRAFFIC:
+
+- hxxps://195.123.233[.]106/anchor/south
+- hxxps://13.52.241[.]196/anchor/south
+
+COBALT STRIKE TRAFFIC:
+
+- 31.14.40[.]172 port 443 - postformt[.]com - Client Hello (HTTPS traffic)
+- 162.244.80[.]46 port 80 - loikdo[.]com - GET /components/mt.ico HTTP/1.1 
+- 162.244.80[.]46 port 80 - loikdo[.]com - GET /copyright.js?terms=false HTTP/1.1 
+- 162.244.80[.]46 port 80 - loikdo[.]com - POST /xmlconnect HTTP/1.1  (text/plain)
+
+NOTES:
+
+- postformt[.]com reported as Cobalt Stike by @mojoesec on 2021-07-20 at:
+  https://twitter.com/mojoesec/status/1417574273988931585
+
+- loikdo[.]com reported as Cobalt Stike by @mojoesec on 2021-07-29 at:
+  https://twitter.com/bryceabdo/status/1420839047426084869
+  But HTTP traffic patterns also indicate this is Cobalt Strike.