{ "type": "Domain", "indicator": "adobe-l.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/adobe-l.com", "alexa": "http://www.alexa.com/siteinfo/adobe-l.com", "indicator": "adobe-l.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3641349904, "indicator": "adobe-l.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 11, "pulses": [ { "id": "64120540266ef796a2e11277", "name": "BatLoader Continues to Abuse Google Search Ads", "description": "In December, Microsoft's eSentire published a summary of BatLoader activity whereby Google Search Ads were used to impersonate software such as WinRAR to deliver malicious Windows Installer files. The installer files contained custom action commands which used PowerShell to download and execute payloads (Redline Stealer, Ursnif, etc.) hosted on legitimate websites.", "modified": "2023-03-15T17:49:51.119000", "created": "2023-03-15T17:49:51.119000", "tags": [ "Cobalt Strike", "Redline", "SystemBC", "Vidar", "Ursnif", "BatLoader" ], "references": [ "https://www.esentire.com/blog/batloader-continues-to-abuse-google-search-ads-to-deliver-vidar-stealer-and-ursnif" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "BatLoader", "display_name": "BatLoader", "target": null }, { "id": "SystemBC", "display_name": "SystemBC", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 364, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 29, "URL": 1, "CVE": 1, "FileHash-MD5": 5, "FileHash-SHA1": 1, "FileHash-SHA256": 1 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 387087, "modified_text": "1175 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64092903c877b69476532234", "name": "URLHaus data - 08-03-2023", "description": "", "modified": "2023-04-13T13:11:17.014000", "created": "2023-03-09T00:32:03.432000", "tags": [ "32-bit", "elf", "mips", "Mozi", "mirai", "hajime", "arm", "7ffafcc236a0e41da928b164908364fa", "Richiesta_di_preventivo_070323.vbs", "Amadey", "dropped-by-PrivateLoader", "RedLine", "exe", "Loki", "opendir", "AgentTesla", "rat", "RemcosRAT", "RedLineStealer", "dll", "RecordBreaker", "encrypted", "Rhadamanthys", "Stealc", "1234", "Password-protected", "rar", "zip", "2022", "1231", "Vidar", "e4", "emotet", "epoch4", "heodo", "ddos", "njRAT", "AuroraStealer", "botnet", "trojan", "DDoS Bot", "Adobe Acrobat Reader", "batloader", "msi", "Pinesville Ltd", "Malvertising", "x86-32", "32", "intel", "64", "PowerPC", "sparc", "shellscript", "motorola", "renesas", "tar", "sh", "Specter", "Formbook", "vjw0rm", "agenziaentrate", "Gozi", "ITA", "MEF", "MISE", "ursnif", "doc", "msil", "stealer", "gafgyt", "bashlite", "geofenced", "ISFB", "162-55-188-117", "7z", "FakeRuneTeller", "PureLand", "pw pureland", "pw pureland2023", "193-168-141-107", "macOS", "pkg", "ascii" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 998, "domain": 37, "hostname": 29 }, "indicator_count": 1064, "is_author": false, "is_subscribing": null, "subscriber_count": 1626, "modified_text": "1146 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "640ee316c2bada8ce092da7e", "name": "Threat Intel Report - W11-2023", "description": "This is a cyber-advisory document, presenting the compiled cyber threat intelligence sourced from various channels and tools.\nThese are weekly base recommendations to all IT Administrators and CISOs to take corrective actions to upgrade their security infrastructure against newly identified threats and attacks in this week.\nSecurity is a continuous process, and it has to be reviewed and audited on a continuous manner through manual or automated tools.\nThese details may be used as an additional layer to verify the current security posture of an organization against latest cyber trends.", "modified": "2023-04-12T08:01:25.791000", "created": "2023-03-13T08:47:18.159000", "tags": [], "references": [ "https://www.spamcop.net/", "https://www.cvedetails.com/vulnerability-list/year-2019/vulnerabilities.html", "https://www.silobreaker.com/category/threat-reports/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "aa00643640@techmahindra.com", "id": "156540", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 62, "FileHash-MD5": 15, "FileHash-SHA1": 13, "FileHash-SHA256": 65, "CVE": 5, "URL": 142, "domain": 124 }, "indicator_count": 426, "is_author": false, "is_subscribing": null, "subscriber_count": 107, "modified_text": "1148 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6412e42fd30aa205c9e293fd", "name": "BatLoader Continues to Abuse Google Search Ads", "description": "", "modified": "2023-03-16T09:41:03.078000", "created": "2023-03-16T09:41:03.078000", "tags": [ "Cobalt Strike", "Redline", "SystemBC", "Vidar", "Ursnif", "BatLoader" ], "references": [ "https://www.esentire.com/blog/batloader-continues-to-abuse-google-search-ads-to-deliver-vidar-stealer-and-ursnif" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "BatLoader", "display_name": "BatLoader", "target": null }, { "id": "SystemBC", "display_name": "SystemBC", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" } ], "industries": [], "TLP": "white", "cloned_from": "64120540266ef796a2e11277", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "santravault1", "id": "217419", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_217419/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 29, "URL": 1, "CVE": 1, "FileHash-MD5": 5, "FileHash-SHA1": 1, "FileHash-SHA256": 1 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 76, "modified_text": "1175 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6411b23a11d255759f0d28f4", "name": "BatLoader Continues to Abuse Google Search Ads to Deliver Vidar Stealer and Ursnif", "description": "", "modified": "2023-03-15T11:55:38.546000", "created": "2023-03-15T11:55:38.546000", "tags": [ "ursnif", "vidar", "cobalt strike", "redline", "systembc", "batloader", "python", "threat response", "unit", "google search", "endpoint", "figure", "february", "powershell", "redline stealer", "cyber", "winrar", "loader", "defender", "anydesk" ], "references": [ "https://www.esentire.com/blog/batloader-continues-to-abuse-google-search-ads-to-deliver-vidar-stealer-and-ursnif" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "BatLoader", "display_name": "BatLoader", "target": null }, { "id": "SystemBC", "display_name": "SystemBC", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" } ], "industries": [], "TLP": "white", "cloned_from": "641171874e8a881f58896228", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 29, "URL": 1, "CVE": 1, "FileHash-MD5": 5, "FileHash-SHA1": 1, "FileHash-SHA256": 1 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "1176 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "641171874e8a881f58896228", "name": "eSentire | BatLoader Continues to Abuse Google Search Ads to Deliver\u2026", "description": "", "modified": "2023-03-15T07:19:35.183000", "created": "2023-03-15T07:19:35.183000", "tags": [ "ursnif", "vidar", "cobalt strike", "redline", "systembc", "batloader", "python", "threat response", "unit", "google search", "endpoint", "figure", "february", "powershell", "redline stealer", "cyber", "winrar", "loader", "defender", "anydesk" ], "references": [ "https://www.esentire.com/blog/batloader-continues-to-abuse-google-search-ads-to-deliver-vidar-stealer-and-ursnif" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "BatLoader", "display_name": "BatLoader", "target": null }, { "id": "SystemBC", "display_name": "SystemBC", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" } ], "industries": [], "TLP": "white", "cloned_from": "640f276183184b41fd5f5be1", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 29, "URL": 1, "CVE": 1, "FileHash-MD5": 5, "FileHash-SHA1": 1, "FileHash-SHA256": 1 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "1176 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64105ac0f91bd73a914680b2", "name": "BatLoader Uses Google Search Ads to Deliver Vidar Stealer and Ursnif", "description": "The malware downloader known as BATLOADER has been observed abusing Google Ads to deliver secondary payloads like Vidar Stealer\nand Ursnif. These malicious ads are used to spoof a wide range of legitimate apps and services such as Adobe, OpenAPI's ChatGPT, \nSpotify, Tableau and Zoom.\n\nThe key traits of the BATLOADER operations is the use of software impersonation tactics for malware delivery. This is achieved \nby setting up lookalike websites that host Windows installer files masquerading as legitimate apps to trigger the infection \nsequence to make their malicious ads appear at the top of Google search results for certain search terms when a user searching \nfor the software clicks a rogue ad on the Google search results page.\n\n\nBATLOADER targets various popular applications for impersonation as mentioned above. These applications are commonly found \nin business networks and thus, they would yield more valuable footholds for monetization via fraud or hands-on-keyboard \nintrusions.", "modified": "2023-03-14T11:30:08.837000", "created": "2023-03-14T11:30:08.837000", "tags": [ "ursnif", "vidar", "cobalt strike", "redline", "systembc", "batloader", "python", "threat response", "unit", "google search", "endpoint", "figure", "february", "powershell", "redline stealer", "cyber", "winrar", "loader", "defender", "anydesk" ], "references": [ "https://www.esentire.com/blog/batloader-continues-to-abuse-google-search-ads-to-deliver-vidar-stealer-and-ursnif" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "BatLoader", "display_name": "BatLoader", "target": null }, { "id": "SystemBC", "display_name": "SystemBC", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Superpro", "id": "61676", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 29, "URL": 1, "CVE": 1, "FileHash-MD5": 5, "FileHash-SHA1": 1, "FileHash-SHA256": 1 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 214, "modified_text": "1177 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "640f7b0ca85b96b2b99e6783", "name": "BatLoader Continues to Abuse Google Search Ads to Deliver Vidar Stealer and Ursnif", "description": "The following is a full list of key findings from the Open Research Council on Open Source: www.ch.m.msi (BatLoader) on Facebook, Twitter and other social media.", "modified": "2023-03-13T19:35:40.389000", "created": "2023-03-13T19:35:40.389000", "tags": [ "ursnif", "batloader", "note", "vidar", "batloader c2", "ursnif c2" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "issmonitor", "id": "5007", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 28, "FileHash-MD5": 5, "FileHash-SHA1": 1, "FileHash-SHA256": 1 }, "indicator_count": 35, "is_author": false, "is_subscribing": null, "subscriber_count": 71, "modified_text": "1177 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "640f55b690b155315d4525ff", "name": "eSentire | BatLoader Continues to Abuse Google Search Ads to Deliver\u2026", "description": "Microsoft's eSentire MDR services provide 24/7 threat hunting, end-to-end coverage, and complete response to all types of cyber attacks, but how do you do it?", "modified": "2023-03-13T16:56:22.475000", "created": "2023-03-13T16:56:22.475000", "tags": [ "ursnif", "vidar", "cobalt strike", "redline", "systembc", "batloader", "python", "threat response", "unit", "google search", "endpoint", "figure", "february", "powershell", "redline stealer", "cyber", "winrar", "loader", "defender", "anydesk" ], "references": [ "https://www.esentire.com/blog/batloader-continues-to-abuse-google-search-ads-to-deliver-vidar-stealer-and-ursnif" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "BatLoader", "display_name": "BatLoader", "target": null }, { "id": "SystemBC", "display_name": "SystemBC", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Cyber74Team", "id": "202637", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_202637/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 29, "URL": 1, "CVE": 1, "FileHash-MD5": 5, "FileHash-SHA1": 1, "FileHash-SHA256": 1 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 164, "modified_text": "1177 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "640f276183184b41fd5f5be1", "name": "eSentire | BatLoader Continues to Abuse Google Search Ads to Deliver\u2026", "description": "Microsoft's eSentire MDR services provide 24/7 threat hunting, end-to-end coverage, and complete response to all types of cyber attacks, but how do you do it?", "modified": "2023-03-13T13:38:41.276000", "created": "2023-03-13T13:38:41.276000", "tags": [ "ursnif", "vidar", "cobalt strike", "redline", "systembc", "batloader", "python", "threat response", "unit", "google search", "endpoint", "figure", "february", "powershell", "redline stealer", "cyber", "winrar", "loader", "defender", "anydesk" ], "references": [ "https://www.esentire.com/blog/batloader-continues-to-abuse-google-search-ads-to-deliver-vidar-stealer-and-ursnif" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "BatLoader", "display_name": "BatLoader", "target": null }, { "id": "SystemBC", "display_name": "SystemBC", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 29, "URL": 1, "CVE": 1, "FileHash-MD5": 5, "FileHash-SHA1": 1, "FileHash-SHA256": 1 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "1177 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "640ef097cbb9d49b192e1bb8", "name": "eSentire | BatLoader Continues to Abuse Google Search Ads to Deliver\u2026", "description": "Microsoft's eSentire MDR services provide 24/7 threat hunting, end-to-end coverage, and complete response to all types of cyber attacks, but how do you do it?", "modified": "2023-03-13T09:44:55.659000", "created": "2023-03-13T09:44:55.659000", "tags": [ "ursnif", "vidar", "cobalt strike", "redline", "systembc", "batloader", "python", "threat response", "unit", "google search", "endpoint", "figure", "february", "powershell", "redline stealer", "cyber", "winrar", "loader", "defender", "anydesk" ], "references": [ "https://www.esentire.com/blog/batloader-continues-to-abuse-google-search-ads-to-deliver-vidar-stealer-and-ursnif", "https://thehackernews.com/2023/03/batloader-malware-uses-google-ads-to.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "BatLoader", "display_name": "BatLoader", "target": null }, { "id": "SystemBC", "display_name": "SystemBC", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "jeffchandy", "id": "215558", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_215558/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 29, "URL": 1, "CVE": 1, "FileHash-MD5": 5, "FileHash-SHA1": 1, "FileHash-SHA256": 1 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 54, "modified_text": "1178 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://thehackernews.com/2023/03/batloader-malware-uses-google-ads-to.html", "https://www.esentire.com/blog/batloader-continues-to-abuse-google-search-ads-to-deliver-vidar-stealer-and-ursnif", "https://www.silobreaker.com/category/threat-reports/", "https://www.spamcop.net/", "https://urlhaus.abuse.ch/browse/", "https://www.cvedetails.com/vulnerability-list/year-2019/vulnerabilities.html" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Systembc", "Batloader", "Ursnif", "Redline", "Vidar", "Cobalt strike" ], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Systembc", "Batloader", "Ursnif", "Redline", "Vidar", "Cobalt strike" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 11, "pulses": [ { "id": "64120540266ef796a2e11277", "name": "BatLoader Continues to Abuse Google Search Ads", "description": "In December, Microsoft's eSentire published a summary of BatLoader activity whereby Google Search Ads were used to impersonate software such as WinRAR to deliver malicious Windows Installer files. The installer files contained custom action commands which used PowerShell to download and execute payloads (Redline Stealer, Ursnif, etc.) hosted on legitimate websites.", "modified": "2023-03-15T17:49:51.119000", "created": "2023-03-15T17:49:51.119000", "tags": [ "Cobalt Strike", "Redline", "SystemBC", "Vidar", "Ursnif", "BatLoader" ], "references": [ "https://www.esentire.com/blog/batloader-continues-to-abuse-google-search-ads-to-deliver-vidar-stealer-and-ursnif" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "BatLoader", "display_name": "BatLoader", "target": null }, { "id": "SystemBC", "display_name": "SystemBC", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 364, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 29, "URL": 1, "CVE": 1, "FileHash-MD5": 5, "FileHash-SHA1": 1, "FileHash-SHA256": 1 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 387087, "modified_text": "1175 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64092903c877b69476532234", "name": "URLHaus data - 08-03-2023", "description": "", "modified": "2023-04-13T13:11:17.014000", "created": "2023-03-09T00:32:03.432000", "tags": [ "32-bit", "elf", "mips", "Mozi", "mirai", "hajime", "arm", "7ffafcc236a0e41da928b164908364fa", "Richiesta_di_preventivo_070323.vbs", "Amadey", "dropped-by-PrivateLoader", "RedLine", "exe", "Loki", "opendir", "AgentTesla", "rat", "RemcosRAT", "RedLineStealer", "dll", "RecordBreaker", "encrypted", "Rhadamanthys", "Stealc", "1234", "Password-protected", "rar", "zip", "2022", "1231", "Vidar", "e4", "emotet", "epoch4", "heodo", "ddos", "njRAT", "AuroraStealer", "botnet", "trojan", "DDoS Bot", "Adobe Acrobat Reader", "batloader", "msi", "Pinesville Ltd", "Malvertising", "x86-32", "32", "intel", "64", "PowerPC", "sparc", "shellscript", "motorola", "renesas", "tar", "sh", "Specter", "Formbook", "vjw0rm", "agenziaentrate", "Gozi", "ITA", "MEF", "MISE", "ursnif", "doc", "msil", "stealer", "gafgyt", "bashlite", "geofenced", "ISFB", "162-55-188-117", "7z", "FakeRuneTeller", "PureLand", "pw pureland", "pw pureland2023", "193-168-141-107", "macOS", "pkg", "ascii" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 998, "domain": 37, "hostname": 29 }, "indicator_count": 1064, "is_author": false, "is_subscribing": null, "subscriber_count": 1626, "modified_text": "1146 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "640ee316c2bada8ce092da7e", "name": "Threat Intel Report - W11-2023", "description": "This is a cyber-advisory document, presenting the compiled cyber threat intelligence sourced from various channels and tools.\nThese are weekly base recommendations to all IT Administrators and CISOs to take corrective actions to upgrade their security infrastructure against newly identified threats and attacks in this week.\nSecurity is a continuous process, and it has to be reviewed and audited on a continuous manner through manual or automated tools.\nThese details may be used as an additional layer to verify the current security posture of an organization against latest cyber trends.", "modified": "2023-04-12T08:01:25.791000", "created": "2023-03-13T08:47:18.159000", "tags": [], "references": [ "https://www.spamcop.net/", "https://www.cvedetails.com/vulnerability-list/year-2019/vulnerabilities.html", "https://www.silobreaker.com/category/threat-reports/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "aa00643640@techmahindra.com", "id": "156540", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 62, "FileHash-MD5": 15, "FileHash-SHA1": 13, "FileHash-SHA256": 65, "CVE": 5, "URL": 142, "domain": 124 }, "indicator_count": 426, "is_author": false, "is_subscribing": null, "subscriber_count": 107, "modified_text": "1148 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6412e42fd30aa205c9e293fd", "name": "BatLoader Continues to Abuse Google Search Ads", "description": "", "modified": "2023-03-16T09:41:03.078000", "created": "2023-03-16T09:41:03.078000", "tags": [ "Cobalt Strike", "Redline", "SystemBC", "Vidar", "Ursnif", "BatLoader" ], "references": [ "https://www.esentire.com/blog/batloader-continues-to-abuse-google-search-ads-to-deliver-vidar-stealer-and-ursnif" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "BatLoader", "display_name": "BatLoader", "target": null }, { "id": "SystemBC", "display_name": "SystemBC", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" } ], "industries": [], "TLP": "white", "cloned_from": "64120540266ef796a2e11277", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "santravault1", "id": "217419", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_217419/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 29, "URL": 1, "CVE": 1, "FileHash-MD5": 5, "FileHash-SHA1": 1, "FileHash-SHA256": 1 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 76, "modified_text": "1175 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6411b23a11d255759f0d28f4", "name": "BatLoader Continues to Abuse Google Search Ads to Deliver Vidar Stealer and Ursnif", "description": "", "modified": "2023-03-15T11:55:38.546000", "created": "2023-03-15T11:55:38.546000", "tags": [ "ursnif", "vidar", "cobalt strike", "redline", "systembc", "batloader", "python", "threat response", "unit", "google search", "endpoint", "figure", "february", "powershell", "redline stealer", "cyber", "winrar", "loader", "defender", "anydesk" ], "references": [ "https://www.esentire.com/blog/batloader-continues-to-abuse-google-search-ads-to-deliver-vidar-stealer-and-ursnif" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "BatLoader", "display_name": "BatLoader", "target": null }, { "id": "SystemBC", "display_name": "SystemBC", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" } ], "industries": [], "TLP": "white", "cloned_from": "641171874e8a881f58896228", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 29, "URL": 1, "CVE": 1, "FileHash-MD5": 5, "FileHash-SHA1": 1, "FileHash-SHA256": 1 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "1176 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "641171874e8a881f58896228", "name": "eSentire | BatLoader Continues to Abuse Google Search Ads to Deliver\u2026", "description": "", "modified": "2023-03-15T07:19:35.183000", "created": "2023-03-15T07:19:35.183000", "tags": [ "ursnif", "vidar", "cobalt strike", "redline", "systembc", "batloader", "python", "threat response", "unit", "google search", "endpoint", "figure", "february", "powershell", "redline stealer", "cyber", "winrar", "loader", "defender", "anydesk" ], "references": [ "https://www.esentire.com/blog/batloader-continues-to-abuse-google-search-ads-to-deliver-vidar-stealer-and-ursnif" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "BatLoader", "display_name": "BatLoader", "target": null }, { "id": "SystemBC", "display_name": "SystemBC", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" } ], "industries": [], "TLP": "white", "cloned_from": "640f276183184b41fd5f5be1", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 29, "URL": 1, "CVE": 1, "FileHash-MD5": 5, "FileHash-SHA1": 1, "FileHash-SHA256": 1 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "1176 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64105ac0f91bd73a914680b2", "name": "BatLoader Uses Google Search Ads to Deliver Vidar Stealer and Ursnif", "description": "The malware downloader known as BATLOADER has been observed abusing Google Ads to deliver secondary payloads like Vidar Stealer\nand Ursnif. These malicious ads are used to spoof a wide range of legitimate apps and services such as Adobe, OpenAPI's ChatGPT, \nSpotify, Tableau and Zoom.\n\nThe key traits of the BATLOADER operations is the use of software impersonation tactics for malware delivery. This is achieved \nby setting up lookalike websites that host Windows installer files masquerading as legitimate apps to trigger the infection \nsequence to make their malicious ads appear at the top of Google search results for certain search terms when a user searching \nfor the software clicks a rogue ad on the Google search results page.\n\n\nBATLOADER targets various popular applications for impersonation as mentioned above. These applications are commonly found \nin business networks and thus, they would yield more valuable footholds for monetization via fraud or hands-on-keyboard \nintrusions.", "modified": "2023-03-14T11:30:08.837000", "created": "2023-03-14T11:30:08.837000", "tags": [ "ursnif", "vidar", "cobalt strike", "redline", "systembc", "batloader", "python", "threat response", "unit", "google search", "endpoint", "figure", "february", "powershell", "redline stealer", "cyber", "winrar", "loader", "defender", "anydesk" ], "references": [ "https://www.esentire.com/blog/batloader-continues-to-abuse-google-search-ads-to-deliver-vidar-stealer-and-ursnif" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "BatLoader", "display_name": "BatLoader", "target": null }, { "id": "SystemBC", "display_name": "SystemBC", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Superpro", "id": "61676", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 29, "URL": 1, "CVE": 1, "FileHash-MD5": 5, "FileHash-SHA1": 1, "FileHash-SHA256": 1 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 214, "modified_text": "1177 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "640f7b0ca85b96b2b99e6783", "name": "BatLoader Continues to Abuse Google Search Ads to Deliver Vidar Stealer and Ursnif", "description": "The following is a full list of key findings from the Open Research Council on Open Source: www.ch.m.msi (BatLoader) on Facebook, Twitter and other social media.", "modified": "2023-03-13T19:35:40.389000", "created": "2023-03-13T19:35:40.389000", "tags": [ "ursnif", "batloader", "note", "vidar", "batloader c2", "ursnif c2" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "issmonitor", "id": "5007", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 28, "FileHash-MD5": 5, "FileHash-SHA1": 1, "FileHash-SHA256": 1 }, "indicator_count": 35, "is_author": false, "is_subscribing": null, "subscriber_count": 71, "modified_text": "1177 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "640f55b690b155315d4525ff", "name": "eSentire | BatLoader Continues to Abuse Google Search Ads to Deliver\u2026", "description": "Microsoft's eSentire MDR services provide 24/7 threat hunting, end-to-end coverage, and complete response to all types of cyber attacks, but how do you do it?", "modified": "2023-03-13T16:56:22.475000", "created": "2023-03-13T16:56:22.475000", "tags": [ "ursnif", "vidar", "cobalt strike", "redline", "systembc", "batloader", "python", "threat response", "unit", "google search", "endpoint", "figure", "february", "powershell", "redline stealer", "cyber", "winrar", "loader", "defender", "anydesk" ], "references": [ "https://www.esentire.com/blog/batloader-continues-to-abuse-google-search-ads-to-deliver-vidar-stealer-and-ursnif" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "BatLoader", "display_name": "BatLoader", "target": null }, { "id": "SystemBC", "display_name": "SystemBC", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Cyber74Team", "id": "202637", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_202637/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 29, "URL": 1, "CVE": 1, "FileHash-MD5": 5, "FileHash-SHA1": 1, "FileHash-SHA256": 1 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 164, "modified_text": "1177 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "640f276183184b41fd5f5be1", "name": "eSentire | BatLoader Continues to Abuse Google Search Ads to Deliver\u2026", "description": "Microsoft's eSentire MDR services provide 24/7 threat hunting, end-to-end coverage, and complete response to all types of cyber attacks, but how do you do it?", "modified": "2023-03-13T13:38:41.276000", "created": "2023-03-13T13:38:41.276000", "tags": [ "ursnif", "vidar", "cobalt strike", "redline", "systembc", "batloader", "python", "threat response", "unit", "google search", "endpoint", "figure", "february", "powershell", "redline stealer", "cyber", "winrar", "loader", "defender", "anydesk" ], "references": [ "https://www.esentire.com/blog/batloader-continues-to-abuse-google-search-ads-to-deliver-vidar-stealer-and-ursnif" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "BatLoader", "display_name": "BatLoader", "target": null }, { "id": "SystemBC", "display_name": "SystemBC", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 29, "URL": 1, "CVE": 1, "FileHash-MD5": 5, "FileHash-SHA1": 1, "FileHash-SHA256": 1 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "1177 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "adobe-l.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "adobe-l.com", "found": true, "verdict": "malicious", "url_count": 1, "online_count": 0, "blacklists": { "spamhaus_dbl": "not listed", "surbl": "not listed" }, "urls": [ { "url": "https://adobe-l.com/b326b5062b2f0e69046810717534cb90.php", "status": "offline", "threat": "malware_download", "date_added": "2023-03-08", "tags": [ "Adobe Acrobat Reader", "batloader", "Malvertising" ] } ], "error": null }, "from_cache": true, "_cached_at": 1780491507.8097682 }