{"id":6069,"date":"2021-03-03T12:49:29","date_gmt":"2021-03-03T20:49:29","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=6069"},"modified":"2024-04-26T13:20:52","modified_gmt":"2024-04-26T20:20:52","slug":"bazarstrike-malspam-campaign-spoofs-complaint-notifications","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/bazarstrike-malspam-campaign-spoofs-complaint-notifications\/","title":{"rendered":"BazarStrike Malspam Campaign Spoofs Complaint Notifications"},"content":{"rendered":"<p><strong>Author: Christopher Kim<\/strong><br \/>\n<strong>TLP: WHITE<\/strong><br \/>\n&nbsp;<\/p>\n<h3>Overview<\/h3>\n<p>During the week of 22 February, security researchers discovered email campaigns distributing a malware loader for Cobalt Strike,<sup>1,2,3<\/sup> a legitimate penetration testing tool abused by threat actors for its post-exploitation capabilities. These campaigns, which some researchers have nicknamed \u201cBazarStrike,\u201d deliver the loaders using similar tactics, techniques, and procedures (TTPs) to that of BazarLoader campaigns.<sup>4<\/sup><\/p>\n<h3>Customer Impact<\/h3>\n<p>Cobalt Strike is a commercial penetration testing solution that attackers use to deploy a program named &#8220;Beacon&#8221; on the victim&#8217;s machine. Threat actors can use Beacon to perform advanced post-exploitation functions such as:<\/p>\n<ul>\n<li>Command execution,<\/li>\n<li>Key logging,<\/li>\n<li>File transfer,<\/li>\n<li>Socks proxying,<\/li>\n<li>Privilege escalation,<\/li>\n<li>Mimikatz,<sup>5<\/sup><\/li>\n<li>Port scanning, and<\/li>\n<li>Lateral movement.<\/li>\n<\/ul>\n<p>In late 2020, Cobalt Strike was involved in several major cyberattacks, including the supply chain attack on SolarWinds\u2019 Orion platform<sup>6<\/sup> and ransomware attacks on the healthcare sector.<sup>7<\/sup><\/p>\n<h3>Campaign Analysis<\/h3>\n<p>These campaigns used malware delivery methods typically seen in BazarLoader campaigns.<sup>8<\/sup><\/p>\n<p>Email messages followed a customer complaint theme either in the form of a letter, report or request. Subject lines included <em>Re: complaint on &lt;lastname&gt;<\/em> and <em>&lt;Victim company&gt; complaint<\/em>. The email bodies contained a link that led the victim to a customized landing web page hosted on an online platform for email marketing and creating landing pages.<\/p>\n<p>The threat actor(s) constructed the link name using a static prefix such as <em>complaint-letter<\/em>, as well as the email\u2019s date. The landing page contained another link to a Google Drive that hosted the loader payload.<\/p>\n<p>Although the delivery methods are similar, the binary of the loaders used in these campaigns is technically different from BazarLoader. Unlike BazarLoader, these loaders did not use <em>.bazar<\/em> top-level domains to calculate IPv4 command and control (C&amp;C) addresses that returned the next payload instructions.<\/p>\n<h3>Attack Chain<\/h3>\n<p>The threat actors digitally signed the malware loaders with one of two spoofed organizations, <em>OOO SMART<\/em> or <em>Orca System<\/em>. All digital certificates used in the campaigns were issued by Certum Extended Validation Code Signing CA SHA2. Threat actors will often use valid certificates to sign malicious software so it can blend in with other legitimate applications.<\/p>\n<p>When victims downloaded and executed the malware loader, it used process injection<sup>9<\/sup> to run Cobalt Strike across several common processes, including <em>dllhost.exe, svchost.exe, explorer.exe, wmiprvse.exe, and csrss.exe<\/em>.<\/p>\n<p>Cobalt Strike then established a channel session with its C&#038;C over port 443. The domains used for the C&#038;C communication were recently created in February and wholly registered by the actor for malicious purposes.<\/p>\n<h3>Vulnerabilities &#038; Mitigation<\/h3>\n<p>Infoblox recommends the following to reduce the risk of this type of infection:<\/p>\n<ul>\n<li>Threat actors often inject Cobalt Strike into legitimate processes such as <em>svchost.exe<\/em>. To detect process injection, look for unusual parent and child process pairs. For example, it is unusual to see a svchost.exe process not spawned from <em>services.exe<\/em>.<\/li>\n<li>Implement strong antivirus solutions that are capable of detecting evasion techniques, such as process injection and process hollowing.<\/li>\n<li>Be cautious of emails that include unfamiliar links within its messages or iterates through several external web pages to deliver documents.<\/li>\n<li> Network traffic patterns from machines installed with Cobalt Strike are uniformly distributed.<sup>10<\/sup> Examine the network traffic to distinguish human and machine generated traffic packets.<\/li>\n<li>The campaigns in this report used fraudulent domains wholly created for malicious purposes.<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/threat-intelligence-108.jpg\" alt=\"\" width=\"554\" height=\"795\" class=\"aligncenter size-full wp-image-6593\" srcset=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/threat-intelligence-108.jpg 554w, https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/threat-intelligence-108-209x300.jpg 209w\" sizes=\"auto, (max-width: 554px) 100vw, 554px\" \/><\/p>\n<p><strong>Endnotes<\/strong><\/p>\n<ol>\n<li><a href=\"https:\/\/twitter.com\/James_inthe_box\/status\/1364587761529978880\">https:\/\/twitter.com\/James_inthe_box\/status\/1364587761529978880<\/a><\/li>\n<li><a href=\"https:\/\/twitter.com\/ffforward\/status\/1364893143536181249\">https:\/\/twitter.com\/ffforward\/status\/1364893143536181249<\/a><\/li>\n<li><a href=\"https:\/\/twitter.com\/GossiTheDog\/status\/1364573917877264386\">https:\/\/twitter.com\/GossiTheDog\/status\/1364573917877264386<\/a><\/li>\n<li><a href=\"https:\/\/twitter.com\/hashtag\/BazarStrike?src=hashtag_click\">https:\/\/twitter.com\/hashtag\/BazarStrike?src=hashtag_click<\/a><\/li>\n<li><a href=\"https:\/\/github.com\/gentilkiwi\/mimikatz\/wiki\">https:\/\/github.com\/gentilkiwi\/mimikatz\/wiki<\/a><\/li>\n<li><a href=\"https:\/\/blogs.infoblox.com\/cyber-threat-intelligence\/teardrop-malware\/\">https:\/\/blogs.infoblox.com\/cyber-threat-intelligence\/teardrop-malware\/<\/a><\/li>\n<li><a href=\"https:\/\/blogs.infoblox.com\/cyber-threat-intelligence\/ransomware-attacks-target-healthcare-sector\/\">https:\/\/blogs.infoblox.com\/cyber-threat-intelligence\/ransomware-attacks-target-healthcare-sector\/<\/a><\/li>\n<li><a href=\"https:\/\/resources.infosecinstitute.com\/topic\/bazarbackdoor-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight\/\">https:\/\/resources.infosecinstitute.com\/topic\/bazarbackdoor-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight\/<\/a><\/li>\n<li><a href=\"https:\/\/attack.mitre.org\/techniques\/T1055\/\">https:\/\/attack.mitre.org\/techniques\/T1055\/<\/a><\/li>\n<li><a href=\"https:\/\/talos-intelligence-site.s3.amazonaws.com\/production\/document_files\/files\/000\/095\/031\/original\/Talos_Cobalt_Strike.pdf\">https:\/\/talos-intelligence-site.s3.amazonaws.com\/production\/document_files\/files\/000\/095\/031\/original\/Talos_Cobalt_Strike.pdf<\/a><\/li>\n<\/ol>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Author: Christopher Kim TLP: WHITE &nbsp; Overview During the week of 22 February, security researchers discovered email campaigns distributing a malware loader for Cobalt Strike,1,2,3 a legitimate penetration testing tool abused by threat actors for its post-exploitation capabilities. These campaigns, which some researchers have nicknamed \u201cBazarStrike,\u201d deliver the loaders using similar tactics, techniques, and procedures [&hellip;]<\/p>\n","protected":false},"author":397,"featured_media":6726,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[553],"tags":[447,448,189,294],"class_list":{"0":"post-6069","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-cyber-campaign-briefs","8":"tag-bazarstrike","9":"tag-beacon","10":"tag-cybersecurity","11":"tag-malspam","12":"entry"},"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.3 (Yoast SEO v27.3) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>BazarStrike Malspam Campaign Spoofs Complaint Notifications<\/title>\n<meta name=\"description\" content=\"BazarStrike Malspam Campaign Spoofs Complaint Notifications. During the week of 22 February, security researchers discovered email campaigns distributing a malware loader for Cobalt Strike,1,2,3 a legitimate penetration testing tool abused by threat actors for its post-exploitation capabilities. These campaigns, which some researchers have nicknamed \u201cBazarStrike,\u201d deliver the loaders using similar tactics, techniques, and procedures (TTPs) to that of BazarLoader campaigns\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/bazarstrike-malspam-campaign-spoofs-complaint-notifications\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"BazarStrike Malspam Campaign Spoofs Complaint Notifications\" \/>\n<meta property=\"og:description\" content=\"BazarStrike Malspam Campaign Spoofs Complaint Notifications. During the week of 22 February, security researchers discovered email campaigns distributing a malware loader for Cobalt Strike,1,2,3 a legitimate penetration testing tool abused by threat actors for its post-exploitation capabilities. These campaigns, which some researchers have nicknamed \u201cBazarStrike,\u201d deliver the loaders using similar tactics, techniques, and procedures (TTPs) to that of BazarLoader campaigns\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/bazarstrike-malspam-campaign-spoofs-complaint-notifications\/\" \/>\n<meta property=\"og:site_name\" content=\"Infoblox Blog\" \/>\n<meta property=\"article:published_time\" content=\"2021-03-03T20:49:29+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-04-26T20:20:52+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-36.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"612\" \/>\n\t<meta property=\"og:image:height\" content=\"362\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Infoblox Threat Intel\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Infoblox Threat Intel\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/bazarstrike-malspam-campaign-spoofs-complaint-notifications\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/bazarstrike-malspam-campaign-spoofs-complaint-notifications\\\/\"},\"author\":{\"name\":\"Infoblox Threat Intel\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/person\\\/b6aed8965e3298a0817c16d32c0a67ae\"},\"headline\":\"BazarStrike Malspam Campaign Spoofs Complaint Notifications\",\"datePublished\":\"2021-03-03T20:49:29+00:00\",\"dateModified\":\"2024-04-26T20:20:52+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/bazarstrike-malspam-campaign-spoofs-complaint-notifications\\\/\"},\"wordCount\":628,\"publisher\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/bazarstrike-malspam-campaign-spoofs-complaint-notifications\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/ciu-image-36.jpg\",\"keywords\":[\"BazarStrike\",\"Beacon\",\"Cybersecurity\",\"Malspam\"],\"articleSection\":[\"Cyber Campaign Briefs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/bazarstrike-malspam-campaign-spoofs-complaint-notifications\\\/\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/bazarstrike-malspam-campaign-spoofs-complaint-notifications\\\/\",\"name\":\"BazarStrike Malspam Campaign Spoofs Complaint Notifications\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/bazarstrike-malspam-campaign-spoofs-complaint-notifications\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/bazarstrike-malspam-campaign-spoofs-complaint-notifications\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/ciu-image-36.jpg\",\"datePublished\":\"2021-03-03T20:49:29+00:00\",\"dateModified\":\"2024-04-26T20:20:52+00:00\",\"description\":\"BazarStrike Malspam Campaign Spoofs Complaint Notifications. During the week of 22 February, security researchers discovered email campaigns distributing a malware loader for Cobalt Strike,1,2,3 a legitimate penetration testing tool abused by threat actors for its post-exploitation capabilities. These campaigns, which some researchers have nicknamed \u201cBazarStrike,\u201d deliver the loaders using similar tactics, techniques, and procedures (TTPs) to that of BazarLoader campaigns\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/bazarstrike-malspam-campaign-spoofs-complaint-notifications\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/bazarstrike-malspam-campaign-spoofs-complaint-notifications\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/bazarstrike-malspam-campaign-spoofs-complaint-notifications\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/ciu-image-36.jpg\",\"contentUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/ciu-image-36.jpg\",\"width\":612,\"height\":362,\"caption\":\"Women use cell phones to detect cybersecurity security\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/bazarstrike-malspam-campaign-spoofs-complaint-notifications\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Infoblox Threat Intel\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/category\\\/threat-intelligence\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Cyber Campaign Briefs\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/category\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"BazarStrike Malspam Campaign Spoofs Complaint Notifications\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\",\"name\":\"infoblox.com\\\/blog\\\/\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\",\"name\":\"Infoblox\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/infoblox-logo-2.svg\",\"contentUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/infoblox-logo-2.svg\",\"width\":137,\"height\":30,\"caption\":\"Infoblox\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/person\\\/b6aed8965e3298a0817c16d32c0a67ae\",\"name\":\"Infoblox Threat Intel\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_397_1714162589-96x96.png\",\"url\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_397_1714162589-96x96.png\",\"contentUrl\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_397_1714162589-96x96.png\",\"caption\":\"Infoblox Threat Intel\"},\"description\":\"Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access to the internet's inner workings allow us to track down threat actors that others can't see. We're proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox Protective DNS solutions, so customers automatically get its benefits, along with ridiculously low false positive rates.\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/author\\\/infoblox-threat-intel\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"BazarStrike Malspam Campaign Spoofs Complaint Notifications","description":"BazarStrike Malspam Campaign Spoofs Complaint Notifications. During the week of 22 February, security researchers discovered email campaigns distributing a malware loader for Cobalt Strike,1,2,3 a legitimate penetration testing tool abused by threat actors for its post-exploitation capabilities. These campaigns, which some researchers have nicknamed \u201cBazarStrike,\u201d deliver the loaders using similar tactics, techniques, and procedures (TTPs) to that of BazarLoader campaigns","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/bazarstrike-malspam-campaign-spoofs-complaint-notifications\/","og_locale":"en_US","og_type":"article","og_title":"BazarStrike Malspam Campaign Spoofs Complaint Notifications","og_description":"BazarStrike Malspam Campaign Spoofs Complaint Notifications. During the week of 22 February, security researchers discovered email campaigns distributing a malware loader for Cobalt Strike,1,2,3 a legitimate penetration testing tool abused by threat actors for its post-exploitation capabilities. These campaigns, which some researchers have nicknamed \u201cBazarStrike,\u201d deliver the loaders using similar tactics, techniques, and procedures (TTPs) to that of BazarLoader campaigns","og_url":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/bazarstrike-malspam-campaign-spoofs-complaint-notifications\/","og_site_name":"Infoblox Blog","article_published_time":"2021-03-03T20:49:29+00:00","article_modified_time":"2024-04-26T20:20:52+00:00","og_image":[{"width":612,"height":362,"url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-36.jpg","type":"image\/jpeg"}],"author":"Infoblox Threat Intel","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Infoblox Threat Intel","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/bazarstrike-malspam-campaign-spoofs-complaint-notifications\/#article","isPartOf":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/bazarstrike-malspam-campaign-spoofs-complaint-notifications\/"},"author":{"name":"Infoblox Threat Intel","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/person\/b6aed8965e3298a0817c16d32c0a67ae"},"headline":"BazarStrike Malspam Campaign Spoofs Complaint Notifications","datePublished":"2021-03-03T20:49:29+00:00","dateModified":"2024-04-26T20:20:52+00:00","mainEntityOfPage":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/bazarstrike-malspam-campaign-spoofs-complaint-notifications\/"},"wordCount":628,"publisher":{"@id":"https:\/\/www.infoblox.com\/blog\/#organization"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/bazarstrike-malspam-campaign-spoofs-complaint-notifications\/#primaryimage"},"thumbnailUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-36.jpg","keywords":["BazarStrike","Beacon","Cybersecurity","Malspam"],"articleSection":["Cyber Campaign Briefs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/bazarstrike-malspam-campaign-spoofs-complaint-notifications\/","url":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/bazarstrike-malspam-campaign-spoofs-complaint-notifications\/","name":"BazarStrike Malspam Campaign Spoofs Complaint Notifications","isPartOf":{"@id":"https:\/\/www.infoblox.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/bazarstrike-malspam-campaign-spoofs-complaint-notifications\/#primaryimage"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/bazarstrike-malspam-campaign-spoofs-complaint-notifications\/#primaryimage"},"thumbnailUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-36.jpg","datePublished":"2021-03-03T20:49:29+00:00","dateModified":"2024-04-26T20:20:52+00:00","description":"BazarStrike Malspam Campaign Spoofs Complaint Notifications. During the week of 22 February, security researchers discovered email campaigns distributing a malware loader for Cobalt Strike,1,2,3 a legitimate penetration testing tool abused by threat actors for its post-exploitation capabilities. These campaigns, which some researchers have nicknamed \u201cBazarStrike,\u201d deliver the loaders using similar tactics, techniques, and procedures (TTPs) to that of BazarLoader campaigns","breadcrumb":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/bazarstrike-malspam-campaign-spoofs-complaint-notifications\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/bazarstrike-malspam-campaign-spoofs-complaint-notifications\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/bazarstrike-malspam-campaign-spoofs-complaint-notifications\/#primaryimage","url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-36.jpg","contentUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-36.jpg","width":612,"height":362,"caption":"Women use cell phones to detect cybersecurity security"},{"@type":"BreadcrumbList","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/bazarstrike-malspam-campaign-spoofs-complaint-notifications\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.infoblox.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Infoblox Threat Intel","item":"https:\/\/www.infoblox.com\/blog\/category\/threat-intelligence\/"},{"@type":"ListItem","position":3,"name":"Cyber Campaign Briefs","item":"https:\/\/www.infoblox.com\/blog\/category\/threat-intelligence\/cyber-campaign-briefs\/"},{"@type":"ListItem","position":4,"name":"BazarStrike Malspam Campaign Spoofs Complaint Notifications"}]},{"@type":"WebSite","@id":"https:\/\/www.infoblox.com\/blog\/#website","url":"https:\/\/www.infoblox.com\/blog\/","name":"infoblox.com\/blog\/","description":"","publisher":{"@id":"https:\/\/www.infoblox.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.infoblox.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.infoblox.com\/blog\/#organization","name":"Infoblox","url":"https:\/\/www.infoblox.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-logo-2.svg","contentUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-logo-2.svg","width":137,"height":30,"caption":"Infoblox"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/person\/b6aed8965e3298a0817c16d32c0a67ae","name":"Infoblox Threat Intel","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_397_1714162589-96x96.png","url":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_397_1714162589-96x96.png","contentUrl":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_397_1714162589-96x96.png","caption":"Infoblox Threat Intel"},"description":"Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access to the internet's inner workings allow us to track down threat actors that others can't see. We're proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox Protective DNS solutions, so customers automatically get its benefits, along with ridiculously low false positive rates.","url":"https:\/\/www.infoblox.com\/blog\/author\/infoblox-threat-intel\/"}]}},"_links":{"self":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/6069","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/users\/397"}],"replies":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/comments?post=6069"}],"version-history":[{"count":4,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/6069\/revisions"}],"predecessor-version":[{"id":6595,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/6069\/revisions\/6595"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/media\/6726"}],"wp:attachment":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/media?parent=6069"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/categories?post=6069"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/tags?post=6069"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}