Rewterz Threat Alert – MasterFred Banking Trojan – Active IOCs
November 25, 2021Microsoft MSHTML bug Exploited for Credential Theft – Active IoCs
November 25, 2021Rewterz Threat Alert – MasterFred Banking Trojan – Active IOCs
November 25, 2021Microsoft MSHTML bug Exploited for Credential Theft – Active IoCs
November 25, 2021Severity
Medium
Analysis Summary
The BazarLoader malware is a small backdoor (a TrickBot adjacent malware) to an infected victim Windows host. BazarLoader currently uses a BazarCall method that infects the victim’s system and provides cybercriminals with backdoors that can be used in the future to send follow-up malware, scan the environment and exploit other vulnerable hosts on the network.
Researchers have reported the latest method used by threat actors to spread the malware; the call-center-based bazarLoader distribution method utilizes emails with a trial subscription-based theme that encourages potential victims to call a phone number. The victim is hoodwinked into thinking that they have subscribed to a service they didn’t sign up for and are directed to call a certain number for help. The call center operator directs the victim into downloading an infected excel sheet that is installed upon unsubscribing from the service.
Impact
- Data Exfiltration
Indicators of Compromise
IP
- 167[.]172[.]37[.]20
- 207[.]154[.]236[.]187
- 64[.]225[.]71[.]198
- 167[.]172[.]37[.]33
- 167[.]172[.]37[.]20
- 104[.]248[.]164[.]94
- 104[.]248[.]170[.]50
- 207[.]154[.]236[.]187
- 139[.]28[.]235[.]249
- 172[.]83[.]155[.]231
- 94[.]140[.]112[.]22
- 207[.]154[.]244[.]115
- 194[.]15[.]113[.]148
- 139[.]28[.]235[.]249
- 207[.]154[.]236[.]187
- 94[.]140[.]112[.]22
- 139[.]28[.]235[.]249
MD5
- 261541358c04b63dd39f0a65528775bb
- 47933f87a08b2dc9c415433ac4ab4f04
- 458228b460f972d7935723acad55f9ba
- d05a2463b37e487fd04b44a547cef5a6
- cf06c224eef30aed8b44e419928e2d6c
- 730ca73a23dd70b2edf3712e4d03db1c
- db8f42a798dd65d9bd8398c3e2564f06
- 04861b49fb21fea57ab9bba57b5e5ac6
- 7f3bcbb3e8080ac75f7bba326a23c54f
- 4932b7fa81a500c5050ccf3a945077e3
- c07251738742f5a6f63bf9302afef471
- 7f3bcbb3e8080ac75f7bba326a23c54f
- 4932b7fa81a500c5050ccf3a945077e3
- c07251738742f5a6f63bf9302afef471
- 96f60230308da02083c037b42a625e63
- c087889bd712b71c824560d1cf526be6
- 72cbfbfb9fb6e673051e938fb31ca987
- 4ea59f580d5a3398b7aca61e53e710bc
SHA-256
- 6d5ebe8069122e1b470169e0b1545f3c6196259ed2e94e5a242be3209f92cdea
- 807c8c2c02fd1c0f567bbbe14e24484ff0871d83130464c8376e8382e563d1cb
- 50561167909de0e777c5d81ef72d0981b996fe46df881ab34b9b106aabbe7560
- 247a013ddfa6a8b23294e5f58d57e230b562939421e51b5560c77ea805e2cbf7
- 4ee75b010820c4577ba02757b575e63736470bc014aa79ee53311b42dd51e464
- bf58ef24dd79c02522163be7d8e523cecb2be8daf30e98fd6673d583cbc9e74b
- 59b77f3b8d2e7d72c61d522a2bcabbe0b47be3b73e1a4001cb763589a656134c
- 6d0801c0ad5c7c7b194502d932a7cde2ab51d13d40f62c77f9e4e00524f641d1
- 3bc6fc23cef261ac74aa5b98d0c3ec9a4fb1ef3f6b850334d4df698a5fe1ec04
- 5622189598fae2814a0f6a73a1d746c99777e1ec90e9b5bda156f15a6bfc2832
- cd8c23863bd9a51ae9c135182a9a6af14408b4ad8f0bac3d58c4ed473c8589c2
- 3bc6fc23cef261ac74aa5b98d0c3ec9a4fb1ef3f6b850334d4df698a5fe1ec04
- 5622189598fae2814a0f6a73a1d746c99777e1ec90e9b5bda156f15a6bfc2832
- cd8c23863bd9a51ae9c135182a9a6af14408b4ad8f0bac3d58c4ed473c8589c2
- 960a111f4ea6624b2e145d8145f80348a9a2c5812efd68539a67a8586b3baca6
- 0f7904774e867127614e885913f986c278233ab2d8a7cd56f1ee171198a4b6a4
- 7285b66243283537da1f1883bfd1e9781815e2789e2cfe876052b56dc74cf6cd
- ff4aba383a3683fc702707c1cd2bfe9387a0ffe6c4ce68d085532bcd02ed6a2d
SHA-1
- c09a707522794b92966c380e1e62a03724f8b36d
- d6ff3d8b0a0729c651c8318d3fa470d90cc0c8ab
- 4ab23bbfa840acba573f2e585bbed01257e2aae3
- 3613f783cdf52c08dfb46f20c3f2a07521d9d5e0
- 88a34ba4122a17c43f596313faa38a67142fc259
- 48d8ff863d43bde2614ae387841135d1b33e66da
- 7df618ca8e5e21faf19ece8c2470f62af8e4ea15
- cb429369607174d464edf5447e7edbc0a8157e9b
- e2cf8adac9d9860db7fff35dc0d9c94807b0f2dd
- 13d7cf3a826274183d761bc4bcd16e68c069e14b
- ab0f41cd9bbf8930c7f37e0735e651aadaeafe0c
- e2cf8adac9d9860db7fff35dc0d9c94807b0f2dd
- 13d7cf3a826274183d761bc4bcd16e68c069e14b
- ab0f41cd9bbf8930c7f37e0735e651aadaeafe0c
- f932dbe08924909fbc81f835e4fe85d27d33abb7
- 9d00dc27f6b2932ec225cebd709120fa6414ef5f
- a9a68add226e1565eb73cd4309a5e32728af56df
- 384373fbe321322afb7682350cedf8089d38c756
URL
- http[:]//167[.]172[.]37[.]20/part/issue/invoke
- http[:]//207[.]154[.]236[.]187/out/rolling/issue/invoke
- http[:]//64[.]225[.]71[.]198/main/issue/invoke
- http[:]//167[.]172[.]37[.]33/main/issue/invoke
- http[:]//167[.]172[.]37[.]20/main/issue/invoke
- http[:]//104[.]248[.]164[.]94/minor/issue/invoke
- http[:]//207[.]154[.]236[.]187/out/major/issue/invoke
- http[:]//104[.]248[.]175[.]208/minor/issue/invoke
- http[:]//207[.]154[.]229[.]94/out/major/issue/invoke
- http[:]//94[.]140[.]112[.]22/out/major/issue/invoke
- http[:]//139[.]28[.]235[.]249/out/major/issue/invoke
- http[:]//172[.]83[.]155[.]231/out/major/issue/invoke
- http[:]//94[.]140[.]112[.]22/out/stable/issue/invoke
- http[:]//207[.]154[.]244[.]115/out/major/issue/invoke
- http[:]//194[.]15[.]113[.]148/out/major/issue/invoke
- http[:]//139[.]28[.]235[.]249/out/stable/issue/invoke
- http[:]//207[.]154[.]236[.]187/out/stable/issue/invoke
- http[:]//207[.]154[.]244[.]115/out/stable/issue/invoke
- http[:]//94[.]140[.]112[.]22/out/minor/issue/invoke
- http[:]//207[.]154[.]244[.]115/out/minor/issue/invoke
- http[:]//207[.]154[.]236[.]187/out/minor/issue/invoke
- http[:]//94[.]140[.]112[.]9/out/stable/issue/invoke
- http[:]//54[.]212[.]208[.]226/api/get/output/text
- http[:]//167[.]99[.]240[.]197/web/main/job/run
- http[:]//194[.]15[.]113[.]148/web/main/job/run
Remediation
- Block all threat indicators at your respecitive controls.
- Keep Windows up-to-date.
- Keep an eye out for malicious emails and upgrade spam properties in email applications.
- Never download files from malicious websites.