← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
BatLoader Continues to Abuse Google Search Ads
WHITE AlienVault 2023-03-15 Modified: 2023-03-15
38
IOCs
MEDIUM VOLUME
In December, Microsoft's eSentire published a summary of BatLoader activity whereby Google Search Ads were used to impersonate software such as WinRAR to deliver malicious Windows Installer files. The installer files contained custom action commands which used PowerShell to download and execute payloads (Redline Stealer, Ursnif, etc.) hosted on legitimate websites.
Cobalt StrikeRedlineSystemBCVidarUrsnifBatLoader
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
BatLoader SystemBC Redline Cobalt Strike Vidar Ursnif
Indicators of Compromise (38)
All domain URL CVE FileHash-MD5 FileHash-SHA1 FileHash-SHA256
TYPEINDICATORDESCRIPTIONCREATED
domain jhgfdlkjhaoiu.su 2023-03-15
URL https://shvarcnegerhistory.com/ 2023-03-15
CVE CVE-2023-21716 2023-03-15
FileHash-MD5 0cb75b1192b23b8e03d955f1156ad19e 2023-03-15
FileHash-MD5 11ae3dabdb2d2458da43558f36114acb 2023-03-15
FileHash-MD5 3db1edc5b5550f54abdcb5520cf91d75 2023-03-15
FileHash-MD5 85fbc743bb686688ce05cf3289507bf7 2023-03-15
FileHash-MD5 9ebbe0a1b79e6f13bfca014f878ddeec 2023-03-15
FileHash-SHA1 eaca59b9ccd2553e2944bcda05e124382616422b SHA1 of 3db1edc5b5550f54abdcb5520cf91d75 2023-03-15
FileHash-SHA256 28db05fffe5f32ee8df60a400c97d19270d23327ebb49ae86e455ea14d59f113 SHA256 of 3db1edc5b5550f54abdcb5520cf91d75 2023-03-15
domain adobe-a.com 2023-03-15
domain adobe-e.com 2023-03-15
domain adobe-l.com 2023-03-15
domain adolbe.website 2023-03-15
domain anydesk-o.com 2023-03-15
domain anydesk-r.com 2023-03-15
domain basecamp-a.com 2023-03-15
domain bitwarden-t.com 2023-03-15
domain chatgpt-t.com 2023-03-15
domain freecad-l.com 2023-03-15
domain gameindikdowd.ru 2023-03-15
domain gimp-t.com 2023-03-15
domain isoridkf.ru 2023-03-15
domain iujdhsndjfks.ru 2023-03-15
domain java-a.com 2023-03-15
domain java-r.com 2023-03-15
domain java-s.com 2023-03-15
domain microso-t.com 2023-03-15
domain openoffice-a.com 2023-03-15
domain quickbooks-q.com 2023-03-15
domain reggy506.ru 2023-03-15
domain reggy914.ru 2023-03-15
domain shvarcnegerhistory.com 2023-03-15
domain spotify-uss.com 2023-03-15
domain tableau-r.com 2023-03-15
domain uelcoskdi.ru 2023-03-15
domain visualstudio-t.com 2023-03-15
domain zoomvideor.com 2023-03-15
References (1)
↗ https://www.esentire.com/blog/batloader-continues-to-abuse-google-search-ads-to-deliver-vidar-stealer-and-ursnif