{ "type": "Domain", "indicator": "zoomvideor.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/zoomvideor.com", "alexa": "http://www.alexa.com/siteinfo/zoomvideor.com", "indicator": "zoomvideor.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3643375380, "indicator": "zoomvideor.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 10, "pulses": [ { "id": "64120540266ef796a2e11277", "name": "BatLoader Continues to Abuse Google Search Ads", "description": "In December, Microsoft's eSentire published a summary of BatLoader activity whereby Google Search Ads were used to impersonate software such as WinRAR to deliver malicious Windows Installer files. The installer files contained custom action commands which used PowerShell to download and execute payloads (Redline Stealer, Ursnif, etc.) hosted on legitimate websites.", "modified": "2023-03-15T17:49:51.119000", "created": "2023-03-15T17:49:51.119000", "tags": [ "Cobalt Strike", "Redline", "SystemBC", "Vidar", "Ursnif", "BatLoader" ], "references": [ "https://www.esentire.com/blog/batloader-continues-to-abuse-google-search-ads-to-deliver-vidar-stealer-and-ursnif" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "BatLoader", "display_name": "BatLoader", "target": null }, { "id": "SystemBC", "display_name": "SystemBC", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 364, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 29, "URL": 1, "CVE": 1, "FileHash-MD5": 5, "FileHash-SHA1": 1, "FileHash-SHA256": 1 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 387171, "modified_text": "1176 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6412e42fd30aa205c9e293fd", "name": "BatLoader Continues to Abuse Google Search Ads", "description": "", "modified": "2023-03-16T09:41:03.078000", "created": "2023-03-16T09:41:03.078000", "tags": [ "Cobalt Strike", "Redline", "SystemBC", "Vidar", "Ursnif", "BatLoader" ], "references": [ "https://www.esentire.com/blog/batloader-continues-to-abuse-google-search-ads-to-deliver-vidar-stealer-and-ursnif" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "BatLoader", "display_name": "BatLoader", "target": null }, { "id": "SystemBC", "display_name": "SystemBC", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" } ], "industries": [], "TLP": "white", "cloned_from": "64120540266ef796a2e11277", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "santravault1", "id": "217419", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_217419/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 29, "URL": 1, "CVE": 1, "FileHash-MD5": 5, "FileHash-SHA1": 1, "FileHash-SHA256": 1 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 76, "modified_text": "1175 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6411b23a11d255759f0d28f4", "name": "BatLoader Continues to Abuse Google Search Ads to Deliver Vidar Stealer and Ursnif", "description": "", "modified": "2023-03-15T11:55:38.546000", "created": "2023-03-15T11:55:38.546000", "tags": [ "ursnif", "vidar", "cobalt strike", "redline", "systembc", "batloader", "python", "threat response", "unit", "google search", "endpoint", "figure", "february", "powershell", "redline stealer", "cyber", "winrar", "loader", "defender", "anydesk" ], "references": [ "https://www.esentire.com/blog/batloader-continues-to-abuse-google-search-ads-to-deliver-vidar-stealer-and-ursnif" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "BatLoader", "display_name": "BatLoader", "target": null }, { "id": "SystemBC", "display_name": "SystemBC", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" } ], "industries": [], "TLP": "white", "cloned_from": "641171874e8a881f58896228", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 29, "URL": 1, "CVE": 1, "FileHash-MD5": 5, "FileHash-SHA1": 1, "FileHash-SHA256": 1 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "1176 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "641171874e8a881f58896228", "name": "eSentire | BatLoader Continues to Abuse Google Search Ads to Deliver\u2026", "description": "", "modified": "2023-03-15T07:19:35.183000", "created": "2023-03-15T07:19:35.183000", "tags": [ "ursnif", "vidar", "cobalt strike", "redline", "systembc", "batloader", "python", "threat response", "unit", "google search", "endpoint", "figure", "february", "powershell", "redline stealer", "cyber", "winrar", "loader", "defender", "anydesk" ], "references": [ "https://www.esentire.com/blog/batloader-continues-to-abuse-google-search-ads-to-deliver-vidar-stealer-and-ursnif" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "BatLoader", "display_name": "BatLoader", "target": null }, { "id": "SystemBC", "display_name": "SystemBC", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" } ], "industries": [], "TLP": "white", "cloned_from": "640f276183184b41fd5f5be1", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 29, "URL": 1, "CVE": 1, "FileHash-MD5": 5, "FileHash-SHA1": 1, "FileHash-SHA256": 1 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "1176 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64105ac0f91bd73a914680b2", "name": "BatLoader Uses Google Search Ads to Deliver Vidar Stealer and Ursnif", "description": "The malware downloader known as BATLOADER has been observed abusing Google Ads to deliver secondary payloads like Vidar Stealer\nand Ursnif. These malicious ads are used to spoof a wide range of legitimate apps and services such as Adobe, OpenAPI's ChatGPT, \nSpotify, Tableau and Zoom.\n\nThe key traits of the BATLOADER operations is the use of software impersonation tactics for malware delivery. This is achieved \nby setting up lookalike websites that host Windows installer files masquerading as legitimate apps to trigger the infection \nsequence to make their malicious ads appear at the top of Google search results for certain search terms when a user searching \nfor the software clicks a rogue ad on the Google search results page.\n\n\nBATLOADER targets various popular applications for impersonation as mentioned above. These applications are commonly found \nin business networks and thus, they would yield more valuable footholds for monetization via fraud or hands-on-keyboard \nintrusions.", "modified": "2023-03-14T11:30:08.837000", "created": "2023-03-14T11:30:08.837000", "tags": [ "ursnif", "vidar", "cobalt strike", "redline", "systembc", "batloader", "python", "threat response", "unit", "google search", "endpoint", "figure", "february", "powershell", "redline stealer", "cyber", "winrar", "loader", "defender", "anydesk" ], "references": [ "https://www.esentire.com/blog/batloader-continues-to-abuse-google-search-ads-to-deliver-vidar-stealer-and-ursnif" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "BatLoader", "display_name": "BatLoader", "target": null }, { "id": "SystemBC", "display_name": "SystemBC", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Superpro", "id": "61676", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 29, "URL": 1, "CVE": 1, "FileHash-MD5": 5, "FileHash-SHA1": 1, "FileHash-SHA256": 1 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 214, "modified_text": "1177 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "640f7b0ca85b96b2b99e6783", "name": "BatLoader Continues to Abuse Google Search Ads to Deliver Vidar Stealer and Ursnif", "description": "The following is a full list of key findings from the Open Research Council on Open Source: www.ch.m.msi (BatLoader) on Facebook, Twitter and other social media.", "modified": "2023-03-13T19:35:40.389000", "created": "2023-03-13T19:35:40.389000", "tags": [ "ursnif", "batloader", "note", "vidar", "batloader c2", "ursnif c2" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "issmonitor", "id": "5007", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 28, "FileHash-MD5": 5, "FileHash-SHA1": 1, "FileHash-SHA256": 1 }, "indicator_count": 35, "is_author": false, "is_subscribing": null, "subscriber_count": 71, "modified_text": "1177 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "640f55b690b155315d4525ff", "name": "eSentire | BatLoader Continues to Abuse Google Search Ads to Deliver\u2026", "description": "Microsoft's eSentire MDR services provide 24/7 threat hunting, end-to-end coverage, and complete response to all types of cyber attacks, but how do you do it?", "modified": "2023-03-13T16:56:22.475000", "created": "2023-03-13T16:56:22.475000", "tags": [ "ursnif", "vidar", "cobalt strike", "redline", "systembc", "batloader", "python", "threat response", "unit", "google search", "endpoint", "figure", "february", "powershell", "redline stealer", "cyber", "winrar", "loader", "defender", "anydesk" ], "references": [ "https://www.esentire.com/blog/batloader-continues-to-abuse-google-search-ads-to-deliver-vidar-stealer-and-ursnif" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "BatLoader", "display_name": "BatLoader", "target": null }, { "id": "SystemBC", "display_name": "SystemBC", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Cyber74Team", "id": "202637", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_202637/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 29, "URL": 1, "CVE": 1, "FileHash-MD5": 5, "FileHash-SHA1": 1, "FileHash-SHA256": 1 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 164, "modified_text": "1178 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "640f276183184b41fd5f5be1", "name": "eSentire | BatLoader Continues to Abuse Google Search Ads to Deliver\u2026", "description": "Microsoft's eSentire MDR services provide 24/7 threat hunting, end-to-end coverage, and complete response to all types of cyber attacks, but how do you do it?", "modified": "2023-03-13T13:38:41.276000", "created": "2023-03-13T13:38:41.276000", "tags": [ "ursnif", "vidar", "cobalt strike", "redline", "systembc", "batloader", "python", "threat response", "unit", "google search", "endpoint", "figure", "february", "powershell", "redline stealer", "cyber", "winrar", "loader", "defender", "anydesk" ], "references": [ "https://www.esentire.com/blog/batloader-continues-to-abuse-google-search-ads-to-deliver-vidar-stealer-and-ursnif" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "BatLoader", "display_name": "BatLoader", "target": null }, { "id": "SystemBC", "display_name": "SystemBC", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 29, "URL": 1, "CVE": 1, "FileHash-MD5": 5, "FileHash-SHA1": 1, "FileHash-SHA256": 1 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "1178 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "640ef097cbb9d49b192e1bb8", "name": "eSentire | BatLoader Continues to Abuse Google Search Ads to Deliver\u2026", "description": "Microsoft's eSentire MDR services provide 24/7 threat hunting, end-to-end coverage, and complete response to all types of cyber attacks, but how do you do it?", "modified": "2023-03-13T09:44:55.659000", "created": "2023-03-13T09:44:55.659000", "tags": [ "ursnif", "vidar", "cobalt strike", "redline", "systembc", "batloader", "python", "threat response", "unit", "google search", "endpoint", "figure", "february", "powershell", "redline stealer", "cyber", "winrar", "loader", "defender", "anydesk" ], "references": [ "https://www.esentire.com/blog/batloader-continues-to-abuse-google-search-ads-to-deliver-vidar-stealer-and-ursnif", "https://thehackernews.com/2023/03/batloader-malware-uses-google-ads-to.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "BatLoader", "display_name": "BatLoader", "target": null }, { "id": "SystemBC", "display_name": "SystemBC", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "jeffchandy", "id": "215558", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_215558/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 29, "URL": 1, "CVE": 1, "FileHash-MD5": 5, "FileHash-SHA1": 1, "FileHash-SHA256": 1 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 54, "modified_text": "1178 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "640d30af07962af7c78859cb", "name": "The BATLOADER Malware Downloader", "description": "", "modified": "2023-03-12T01:53:50.824000", "created": "2023-03-12T01:53:50.824000", "tags": [], "references": [ "March 12th, 2023 - CryptoGen Cyber Threat Intelligence - The BATLOADER Malware Downloader.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27, "FileHash-MD5": 5, "FileHash-SHA1": 1, "FileHash-SHA256": 1 }, "indicator_count": 34, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "1179 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://thehackernews.com/2023/03/batloader-malware-uses-google-ads-to.html", "March 12th, 2023 - CryptoGen Cyber Threat Intelligence - The BATLOADER Malware Downloader.pdf", "https://www.esentire.com/blog/batloader-continues-to-abuse-google-search-ads-to-deliver-vidar-stealer-and-ursnif" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Cobalt strike", "Vidar", "Batloader", "Systembc", "Ursnif", "Redline" ], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Cobalt strike", "Vidar", "Batloader", "Systembc", "Ursnif", "Redline" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 10, "pulses": [ { "id": "64120540266ef796a2e11277", "name": "BatLoader Continues to Abuse Google Search Ads", "description": "In December, Microsoft's eSentire published a summary of BatLoader activity whereby Google Search Ads were used to impersonate software such as WinRAR to deliver malicious Windows Installer files. The installer files contained custom action commands which used PowerShell to download and execute payloads (Redline Stealer, Ursnif, etc.) hosted on legitimate websites.", "modified": "2023-03-15T17:49:51.119000", "created": "2023-03-15T17:49:51.119000", "tags": [ "Cobalt Strike", "Redline", "SystemBC", "Vidar", "Ursnif", "BatLoader" ], "references": [ "https://www.esentire.com/blog/batloader-continues-to-abuse-google-search-ads-to-deliver-vidar-stealer-and-ursnif" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "BatLoader", "display_name": "BatLoader", "target": null }, { "id": "SystemBC", "display_name": "SystemBC", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 364, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 29, "URL": 1, "CVE": 1, "FileHash-MD5": 5, "FileHash-SHA1": 1, "FileHash-SHA256": 1 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 387171, "modified_text": "1176 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6412e42fd30aa205c9e293fd", "name": "BatLoader Continues to Abuse Google Search Ads", "description": "", "modified": "2023-03-16T09:41:03.078000", "created": "2023-03-16T09:41:03.078000", "tags": [ "Cobalt Strike", "Redline", "SystemBC", "Vidar", "Ursnif", "BatLoader" ], "references": [ "https://www.esentire.com/blog/batloader-continues-to-abuse-google-search-ads-to-deliver-vidar-stealer-and-ursnif" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "BatLoader", "display_name": "BatLoader", "target": null }, { "id": "SystemBC", "display_name": "SystemBC", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" } ], "industries": [], "TLP": "white", "cloned_from": "64120540266ef796a2e11277", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "santravault1", "id": "217419", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_217419/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 29, "URL": 1, "CVE": 1, "FileHash-MD5": 5, "FileHash-SHA1": 1, "FileHash-SHA256": 1 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 76, "modified_text": "1175 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6411b23a11d255759f0d28f4", "name": "BatLoader Continues to Abuse Google Search Ads to Deliver Vidar Stealer and Ursnif", "description": "", "modified": "2023-03-15T11:55:38.546000", "created": "2023-03-15T11:55:38.546000", "tags": [ "ursnif", "vidar", "cobalt strike", "redline", "systembc", "batloader", "python", "threat response", "unit", "google search", "endpoint", "figure", "february", "powershell", "redline stealer", "cyber", "winrar", "loader", "defender", "anydesk" ], "references": [ "https://www.esentire.com/blog/batloader-continues-to-abuse-google-search-ads-to-deliver-vidar-stealer-and-ursnif" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "BatLoader", "display_name": "BatLoader", "target": null }, { "id": "SystemBC", "display_name": "SystemBC", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" } ], "industries": [], "TLP": "white", "cloned_from": "641171874e8a881f58896228", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 29, "URL": 1, "CVE": 1, "FileHash-MD5": 5, "FileHash-SHA1": 1, "FileHash-SHA256": 1 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "1176 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "641171874e8a881f58896228", "name": "eSentire | BatLoader Continues to Abuse Google Search Ads to Deliver\u2026", "description": "", "modified": "2023-03-15T07:19:35.183000", "created": "2023-03-15T07:19:35.183000", "tags": [ "ursnif", "vidar", "cobalt strike", "redline", "systembc", "batloader", "python", "threat response", "unit", "google search", "endpoint", "figure", "february", "powershell", "redline stealer", "cyber", "winrar", "loader", "defender", "anydesk" ], "references": [ "https://www.esentire.com/blog/batloader-continues-to-abuse-google-search-ads-to-deliver-vidar-stealer-and-ursnif" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "BatLoader", "display_name": "BatLoader", "target": null }, { "id": "SystemBC", "display_name": "SystemBC", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" } ], "industries": [], "TLP": "white", "cloned_from": "640f276183184b41fd5f5be1", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 29, "URL": 1, "CVE": 1, "FileHash-MD5": 5, "FileHash-SHA1": 1, "FileHash-SHA256": 1 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "1176 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64105ac0f91bd73a914680b2", "name": "BatLoader Uses Google Search Ads to Deliver Vidar Stealer and Ursnif", "description": "The malware downloader known as BATLOADER has been observed abusing Google Ads to deliver secondary payloads like Vidar Stealer\nand Ursnif. These malicious ads are used to spoof a wide range of legitimate apps and services such as Adobe, OpenAPI's ChatGPT, \nSpotify, Tableau and Zoom.\n\nThe key traits of the BATLOADER operations is the use of software impersonation tactics for malware delivery. This is achieved \nby setting up lookalike websites that host Windows installer files masquerading as legitimate apps to trigger the infection \nsequence to make their malicious ads appear at the top of Google search results for certain search terms when a user searching \nfor the software clicks a rogue ad on the Google search results page.\n\n\nBATLOADER targets various popular applications for impersonation as mentioned above. These applications are commonly found \nin business networks and thus, they would yield more valuable footholds for monetization via fraud or hands-on-keyboard \nintrusions.", "modified": "2023-03-14T11:30:08.837000", "created": "2023-03-14T11:30:08.837000", "tags": [ "ursnif", "vidar", "cobalt strike", "redline", "systembc", "batloader", "python", "threat response", "unit", "google search", "endpoint", "figure", "february", "powershell", "redline stealer", "cyber", "winrar", "loader", "defender", "anydesk" ], "references": [ "https://www.esentire.com/blog/batloader-continues-to-abuse-google-search-ads-to-deliver-vidar-stealer-and-ursnif" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "BatLoader", "display_name": "BatLoader", "target": null }, { "id": "SystemBC", "display_name": "SystemBC", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Superpro", "id": "61676", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 29, "URL": 1, "CVE": 1, "FileHash-MD5": 5, "FileHash-SHA1": 1, "FileHash-SHA256": 1 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 214, "modified_text": "1177 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "640f7b0ca85b96b2b99e6783", "name": "BatLoader Continues to Abuse Google Search Ads to Deliver Vidar Stealer and Ursnif", "description": "The following is a full list of key findings from the Open Research Council on Open Source: www.ch.m.msi (BatLoader) on Facebook, Twitter and other social media.", "modified": "2023-03-13T19:35:40.389000", "created": "2023-03-13T19:35:40.389000", "tags": [ "ursnif", "batloader", "note", "vidar", "batloader c2", "ursnif c2" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "issmonitor", "id": "5007", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 28, "FileHash-MD5": 5, "FileHash-SHA1": 1, "FileHash-SHA256": 1 }, "indicator_count": 35, "is_author": false, "is_subscribing": null, "subscriber_count": 71, "modified_text": "1177 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "640f55b690b155315d4525ff", "name": "eSentire | BatLoader Continues to Abuse Google Search Ads to Deliver\u2026", "description": "Microsoft's eSentire MDR services provide 24/7 threat hunting, end-to-end coverage, and complete response to all types of cyber attacks, but how do you do it?", "modified": "2023-03-13T16:56:22.475000", "created": "2023-03-13T16:56:22.475000", "tags": [ "ursnif", "vidar", "cobalt strike", "redline", "systembc", "batloader", "python", "threat response", "unit", "google search", "endpoint", "figure", "february", "powershell", "redline stealer", "cyber", "winrar", "loader", "defender", "anydesk" ], "references": [ "https://www.esentire.com/blog/batloader-continues-to-abuse-google-search-ads-to-deliver-vidar-stealer-and-ursnif" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "BatLoader", "display_name": "BatLoader", "target": null }, { "id": "SystemBC", "display_name": "SystemBC", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Cyber74Team", "id": "202637", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_202637/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 29, "URL": 1, "CVE": 1, "FileHash-MD5": 5, "FileHash-SHA1": 1, "FileHash-SHA256": 1 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 164, "modified_text": "1178 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "640f276183184b41fd5f5be1", "name": "eSentire | BatLoader Continues to Abuse Google Search Ads to Deliver\u2026", "description": "Microsoft's eSentire MDR services provide 24/7 threat hunting, end-to-end coverage, and complete response to all types of cyber attacks, but how do you do it?", "modified": "2023-03-13T13:38:41.276000", "created": "2023-03-13T13:38:41.276000", "tags": [ "ursnif", "vidar", "cobalt strike", "redline", "systembc", "batloader", "python", "threat response", "unit", "google search", "endpoint", "figure", "february", "powershell", "redline stealer", "cyber", "winrar", "loader", "defender", "anydesk" ], "references": [ "https://www.esentire.com/blog/batloader-continues-to-abuse-google-search-ads-to-deliver-vidar-stealer-and-ursnif" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "BatLoader", "display_name": "BatLoader", "target": null }, { "id": "SystemBC", "display_name": "SystemBC", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 29, "URL": 1, "CVE": 1, "FileHash-MD5": 5, "FileHash-SHA1": 1, "FileHash-SHA256": 1 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "1178 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "640ef097cbb9d49b192e1bb8", "name": "eSentire | BatLoader Continues to Abuse Google Search Ads to Deliver\u2026", "description": "Microsoft's eSentire MDR services provide 24/7 threat hunting, end-to-end coverage, and complete response to all types of cyber attacks, but how do you do it?", "modified": "2023-03-13T09:44:55.659000", "created": "2023-03-13T09:44:55.659000", "tags": [ "ursnif", "vidar", "cobalt strike", "redline", "systembc", "batloader", "python", "threat response", "unit", "google search", "endpoint", "figure", "february", "powershell", "redline stealer", "cyber", "winrar", "loader", "defender", "anydesk" ], "references": [ "https://www.esentire.com/blog/batloader-continues-to-abuse-google-search-ads-to-deliver-vidar-stealer-and-ursnif", "https://thehackernews.com/2023/03/batloader-malware-uses-google-ads-to.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "BatLoader", "display_name": "BatLoader", "target": null }, { "id": "SystemBC", "display_name": "SystemBC", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "jeffchandy", "id": "215558", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_215558/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 29, "URL": 1, "CVE": 1, "FileHash-MD5": 5, "FileHash-SHA1": 1, "FileHash-SHA256": 1 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 54, "modified_text": "1178 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "640d30af07962af7c78859cb", "name": "The BATLOADER Malware Downloader", "description": "", "modified": "2023-03-12T01:53:50.824000", "created": "2023-03-12T01:53:50.824000", "tags": [], "references": [ "March 12th, 2023 - CryptoGen Cyber Threat Intelligence - The BATLOADER Malware Downloader.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27, "FileHash-MD5": 5, "FileHash-SHA1": 1, "FileHash-SHA256": 1 }, "indicator_count": 34, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "1179 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "zoomvideor.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "zoomvideor.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780514829.9312224 }