Malvertising Used as Entry Vector for BlackCat, Actors Also Leverage SpyBoy Terminator

[+] File IOCs
SHA-256									Detection name
25467df66778077cc387f4004f25aa20b1f9caec2e73b9928ec4fe57b6a2f63c 	Trojan.Win64.COBEACON.SWG
4a4d20d107ee8e23ce1ebe387854a4bfe766fc99f359ed18b71d3e01cb158f4a 	Trojan.Win64.COBEACON.SWG
13090722ba985bafcccfb83795ee19fd4ab9490af1368f0e7ea5565315c067fe 	Trojan.Win64.COBEACON.SWG
									Troj.Win32.TRX.XXPE50FFF069
8859a09fdc94d7048289d2481ede4c98dc342c0a0629cbcef2b91af32d52acb5  	Trojan.Win64.COBEACON.SWG
bacbe893b668a63490d2ad045a69b66c96dcacb500803c68a9de6cca944affef  	Trojan.Win64.COBEACON.SWG
c7a5a4fb4f680974f3334f14e0349522502b9d5018ec9be42beec5fa8c1597fe  	Trojan.Win64.COBEACON.SWG
3ce4ed3c7bd97b84045bdcfc84d3772b4c3a29392a9a2eee9cc17d8a5e5403ce  	Trojan.Win64.COBEACON.SWG
21e7bcc03c607e69740a99d0e9ae8223486c73af50f4c399c8d30cce4d41e839  	Trojan.Win64.COBEACON.SWG
e5db80c01562808ef2ec1c4b8f3f033ac0ed758d 				Backdoor.Python.COBEACON.C
cfbde85bdb62054b5b9eb4438c3837b9f1a69f61 				Backdoor.Python.COBEACON.C
3b14559a6e33fce120a905fde57ba6ed268a51f1  				Backdoor.Python.COBEACON.C
aae1b17891ec215a0e238f881be862b4f598e46c  				Backdoor.Python.COBEACON.C
c82b28daeb33d94ae3cafbc52dbb801c4a5b8cfa  				Backdoor.Python.COBEACON.C
d2663fc6966c197073c7315264602b4c6ba9c192  				Trojan.BAT.COBEACON.AO
c7568d00ae38b3a4691a413ed439a0e3fb5664b1  				Trojan.BAT.COBEACON.AO
61e41be7a9889472f648a5a3d0b0ab69e2e056c5  				Trojan.BAT.COBEACON.AO
69ffad6be67724b1c7e8f65e8816533a96667a36  				Trojan.XML.COBEACON.F
c1516915431cb55703b5a88d94ef6de0ac67190a  				Trojan.XML.COBEACON.F
a7b1853348346d5d56f4c33f313693a18b6af457  				Trojan.XML.COBEACON.F
ac8e3146f41845a56584ce5e8e172a56d59aa804  				Trojan.XML.COBEACON.F
e5d434dfa2634041cdbdac1dec58fcd49d629513  				Trojan.BAT.KILLAV.WLEBG
42da9e9e3152c1d995d8132674368da4be78bf6a  				Trojan.BAT.COBEACON.AO.dldr
5cbb6978c9d01c8a6ea65caccb451bf052ed2acd  				HackTool.Win32.Adfind.VSNW1FE23
a9310c3f039c4e2184848f0eb8e65672f9f11240  				TrojanSpy.Python.CREAL.A
5e36a649c82fa41a600d51fe99f4aa8911b87828  				HackTool.Python.LaZagne.AD
5263a135f09185aa44f6b73d2f8160f56779706d  				HackTool.PS1.VeeamCreds.A
75d02e81cc326e6a0773bc11ffa6fa2f6fa5343e  				TROJ.Win32.TRX.XXPE50FFF069
9d85cb2c6f1fccc83217837a63600b673da1991a  				TROJ.Win32.TRX.XXPE50FFF069
2f2eb89d3e6726c6c62d6153e2db1390b7ae7d01  				TROJ.Win32.TRX.XXPE50FFF069
7d500a2cd8ea7e455ae1799cb4142bb2abac3ae1  				TROJ.Win32.TRX.XXPE50FFF069
0362c710e4813020147f5520a780a15ef276e229  				Troj.Win32.TRX.XXPE50FFF069
									Troj.Win32.TRX.XXPE50FFF069R450C 
									TROJ.Win32.TRX.XXPE50FLM011
fb2ef2305511035e1742f689fce928c424aa8b7d  				Troj.Win32.TRX.XXPE50FFF069 
									Troj.Win32.TRX.XXPE50FFF069R450C 
									TROJ.Win32.TRX.XXPE50FLM011
7874d722a6dbaef9e5f9622d495f74957da358da  				Troj.Win32.TRX.XXPE50FFF069 
									Troj.Win32.TRX.XXPE50FFF069R450C 
									TROJ.Win32.TRX.XXPE50FLM011
06e3f86369046856b56d47f45ea2f7cf8e240ac5  				Troj.Win32.TRX.XXPE50FFF069 
									Troj.Win32.TRX.XXPE50FFF069R450C 
									TROJ.Win32.TRX.XXPE50FLM011
36b454592fc2b8556c2cb983c41af4d2d8398ea2  				Troj.Win32.TRX.XXPE50FFF068
337ca5eefe18025c6028d617ee76263279650484  				TROJ_GEN.R002C0DCS23
e862f106ed8e737549ed2daa95e5b8d53ed50f87  				TROJ_GEN.R002C0PFK23
2a85cdfb1c3434d73ece7fe60d6d2d5c9b7667dd  				Troj.Win32.TRX.XXPE50FFF068
d883be0ee79dec26ef8c04e0e2857a516cff050c  				TROJ.Win32.TRX.XXPE50FLM011
a0f1a8462cb9105660af2d4240e37a27b5a9afad  				Ransom.Win32.BLACKCAT.SMYPCC5
ab0eade9b8d24b09e32aa85f78a51b777861debc  				Ransom.Win32.BLACKCAT.SMYPCC5
0cc0e1cbf4923d2ce7179064c244fe138dcb3ce8  				Ransom.Win32.BLACKCAT.SMYPCC5
3789a218c966f175067242975e1cb44abdef81ec  				Ransom.Win32.BLACKCAT.SMYPCC5
83c5f8821f9a07e0318beaa4bcf0b7ef21127aa8  				Ransom.Win32.BLACKCAT.SMYPCC5
08f63693bb40504b71fe3e4e4d9e7142c011aeb1  				Ransom.Win32.BLACKCAT.SMYPCC5
b34bb1395199c7b168d9204833fdfd13d542706d  				Ransom.Win32.BLACKCAT.SMYPCC5
5c6aa1a5bd7572ac8e91eaa5c9d6096f302f775b  				Ransom.Win32.BLACKCAT.SMYPCC5
9480a79b0b6f164b1148c56f43f3d505ee0b7ef3  				Ransom.Win32.BLACKCAT.SMYPCC5
7874d722a6dbaef9e5f9622d495f74957da358da  				Ransom.Win32.BLACKCAT.SMYPCC5
9b1ebbe03949e0c16338595b1772befe276cd10d  				Ransom.Win32.BLACKCAT.SMYPCC5
801950ed376642e537466795f92b04e13a4fcc2a  				Ransom.Win32.BLACKCAT.SMYPCC5
1ca4e3fdcdf8a9ab095cfa0629750868eb955eb7  				Ransom.Win32.BLACKCAT.SMYPCC5
42920e4d15428d4e7a8f52ae703231bdf0aec241  				Ransom.Win32.BLACKCAT.SMYPCC5
06e3f86369046856b56d47f45ea2f7cf8e240ac5  				Ransom.Win32.BLACKCAT.SMYPCC5
f42e97901a1a3b87b4f326cb9e6cbdb98652d900  				Ransom.Win32.BLACKCAT.SMYPCC5
d125c4f82e0bbf369caf1be524250674a603435c  				Ransom.Win32.BLACKCAT.SMYPCC5
03d7bc24d828abaf1a237b3f418517fada8ae64f  				Ransom.Win32.BLACKCAT.SMYPCC5
c133992ea87f83366e4af5401a341365190df4e7  				Ransom.Win32.BLACKCAT.SMYXCCN.note
b35be51d727d8b6f8132850f0d044b838fec001d  				Ransom.Win32.BLACKCAT.SMYXCCN.note
fd84cf245f7a60c38ac7c92e36458c5ea4680809  				Ransom.Win32.BLACKCAT.SMYXCCN.note
946c0a0c613c8ac959d94bb2fd152c138fc752da  				Ransom.Win32.BLACKCAT.SMYXCCN.note
7b3051f8d09d53e7c5bc901262f5822f1999caae  				Ransom.Win32.BLACKCAT.SMYXCCN.note
eeff22b4a442293bf0f5ef05154e8d4c7a603005  				Ransom.Win32.BLACKCAT.SMYXCCN.note
2547d2deedc385f7557d5301c19413e1cbf58cf8  				Ransom.Win32.BLACKCAT.SMYXCCN.note
0437f84967de62d8959b89d28a56e40247b595d8  				Ransom.Win32.BLACKCAT.SMYXCCN.note
105d33c00847ccd0fb230f4a7457e8ab6fb035fc  				Ransom.Win32.BLACKCAT.SMYXCCN.note
5831b3a830690c603fd093329dce93b9a7e83ad3  				Ransom.Win32.BLACKCAT.SMYXCCN.note
a5c164b734a8b61d8af70257e23d16843a4c72e3  				Ransom.Win32.BLACKCAT.SMYXCCN.note
1aff9fd8fdc0eae3c09a3ee6b4df2cdb24306498  				Ransom.Win32.BLACKCAT.SMYXCCN.note
3d4051c65d1b5614af737cb72290ec15b71b75bd  				Ransom.Win32.BLACKCAT.SMYXCCN.note
a116ef48119c542a2d864f41dbbb66e18d5cd4e6  				Ransom.Win32.BLACKCAT.SMYXCCN.note
508e7522db24cca4913aeed8218975c539d3b0a4  				Ransom.Win32.BLACKCAT.SMYXCCN.note
72603dadebc12de4daf2e12d28059c4a3dcf60d0  				Ransom.Win32.BLACKCAT.SMYXCCN.note
930bd974a2d01393636fdb91ca9ac53256ff6690  				Ransom.Win32.BLACKCAT.SMYXCCN.note
a9a03d39705bd1d31563d7a513a170c99f724923  				Ransom.Win32.BLACKCAT.SMYXCCN.note
c14bd9ad77d8beca07fb17dc34f8a5f636e621b5  				Ransom.Win32.BLACKCAT.SMYXCCN.note
01b122eb0edb6274b3743458e375e34126fd2f9a  				Ransom.Win32.BLACKCAT.SMYXCCN.note
b98bb7b4c3b823527790cb62e26d14d34d3e499b  				Ransom.Win32.BLACKCAT.SMYXCCN.note
381058a5075ce06605350172e72c362786e8c5e3  				Ransom.Win32.BLACKCAT.SMYXCCN.note
75e9d507b1a1606a3647fe182c4ed3a153cecc2c  				Ransom.Win32.BLACKCAT.SMYXCCN.note
cd485054625ea8ec5cf1fe0e1f11ede2e23dde00  				Ransom.Win32.BLACKCAT.SMYXCCN.note
c9cdfdc45b04cca45b64fedca7c372f73b42cab2  				Ransom.Win32.BLACKCAT.SMYXCCN.note
31d4dadd11fe52024b1787a20b56700e7fd257f8  				Ransom.Win32.BLACKCAT.SMYXCCN.note
0fe306dc12ba6441ba2a5cab1b9d26638c292f9c  				Ransom.Win32.BLACKCAT.SMYXCCN.note
bc0fb6b220045f54d34331345d1302f9a00b3580  				Ransom.Win32.BLACKCAT.SMYXCCN.note
b4f59fe2ee3435b9292954d1c3ef7e74c233abea  				Ransom.Win32.BLACKCAT.SMYXCCN.note
aee0b252334b47a6e382ce2e01de9191de2e6a7a  				Ransom.Win32.BLACKCAT.SMYXCCN.note
92673b91d2c86309f321ade6a86f0c9e632346d8  				Ransom.Win32.BLACKCAT.SMYXCCN.note
de7fb8efa05ddf5f21a65e940717626b1c3d6cb4  				Ransom.Win32.BLACKCAT.SMYXCCN.note
5f455dcdca66df9041899708289950519971bb76  				Ransom.Win32.BLACKCAT.SMYXCCN.note
5ed1b9810ee12d2b9b358dd09c6822588bbb4a83  				Ransom.Win32.BLACKCAT.SMYXCCN.note
c779a4a98925bc2f7feac91c1867a3f955462fc2  				Ransom.Win32.BLACKCAT.SMYXCCN.note
cb358aa4ed50db8270f3ee7ea5848b8c16fa21fe  				Ransom.Win32.BLACKCAT.SMYXCCN.note
5ec6b30dacfced696c0145a373404e63763c2fa8  				Ransom.Win32.BLACKCAT.SMYXCCN.note
f2f5137c28416f76f9f4b131f85252f8273baee8  				Ransom.Win32.BLACKCAT.SMYXCCN.note
12534212c7d4b3e4262edc9dc2a82c98c2121d04  				Ransom.Win32.BLACKCAT.SMYXCCN.note
bc09ee8b42ac3f6107ab5b51a2581a9161e53925  				Ransom.Win32.BLACKCAT.SMYXCCN.note
152400be759355ec8dd622ec182c29ce316eabb1  				Ransom.Win32.BLACKCAT.SMYXCCN.note
379e497d0574fd4e612339440b603f380093655c  				Ransom.Win32.BLACKCAT.SMYXCCN.note
141c7b9be4445c1aad70ec35ae3fe02f5f8d37ac  				Ransom.Win32.BLACKCAT.SMYXCCN.note
27e9e6a54d73dcb28b5c7dfb4e2e05aaba913995  				Ransom.Win32.BLACKCAT.SMYXCCN.note
ad981cd18f58e12db7c9da661181f6eb9a1754f3  				Ransom.Win32.BLACKCAT.SMYXCCN.note
4829eaa38bd061773ceefe175938a2c0d75a75f3  				Ransom.Win32.BLACKCAT.SMYXCCN.note
b0d61d1eba9ebf6b7eabcd62b70936d1a343178e  				Ransom.Win32.BLACKCAT.SMYXCCN.note
014c277113c4b8c4605cb91b29302cdedbc2044e  				Ransom.Win32.BLACKCAT.SMYXCCN.note
974c1684cf0f3a46af12ba61836e4c161fd48cb5  				Ransom.Win32.BLACKCAT.SMYXCCN.note
913414069259e760e201d0520ce35fe22cf3c285  				Ransom.Win32.BLACKCAT.SMYXCCN.note

[+] Network IOCs
Distribution URLs
https://cuororeresteadntno.com/how-to-work-with-ftp-ftps-connection-through-winscp/ = 78. Malware Accomplice
https://airplexacrepair.com/the-key-to-secure-remote-desktop-connections-a-comprehensive-guide/ = 78. Malware Accomplice
https://maker-events.com/automating-file-transfers-with-winscp/ = 78. Malware Accomplice

Redirects Domains:
https://winsccp.com/WLPuVHrN = 79. Disease Vector
https://anydeesk.net = 79. Disease Vector

Payload Download
https://events.drdivyaclinic.com/wp-content/task/update/WinSCP-5.21.8-Setup.iso = 79. Disease Vector
https://www.4shared.com/web/directDownload/wd0Bbaw6jq/gx1qdBDA.ab8ba6f7d1af2d0a5d81cf42aefe8e51 = 79. Disease Vector
https://www.yb-lawyers.com/wp-content/ter/anyconnect/AnyDesk.iso = 79. Disease Vector
https://mm.onemakan.ml//wp/wp-content/winscp/smart/WinSCP-5.21.8-Setup.iso = 79. Disease Vector

IPs AnyDesk.iso:
104.234.11.236 = 78. Malware Accomplice
157.254.195.108 = 78. Malware Accomplice

IPs WinSCP-5.21.8-Setup.iso:
157.254.195.83 = 78. Malware Accomplice

COBEACON C2: 
167.88.164.141 = 91. C&C Server
https://167.88.164.40/python/pp2 = 91. C&C Server
https://172.86.123.127:8443/work2z = 91. C&C Server
https://172.86.123.127:8443/work2
https://172.86.123.226:8443/work3z = 91. C&C Server
https://172.86.123.226:8443/work3
https://193.42.32.58:8443/work2z = 91. C&C Server
https://193.42.32.58/python/pp
https://193.42.32.58:8443/zakrep
https://104.234.147.134/python/pp3.py = 91. C&C Server
http://45.12.253.50:447/work2
https://45.66.230.240/python/pp3.py = 91. C&C Server
https://45.66.230.240:8443/work1
http://45.66.230.240/python/pp
https://firstclassbale.com/python/pp3.py = 91. C&C Server

Other COBEACON C2 Using the Same Watermark (587247372)
104.234.11.226 = 91. C&C Server
104.234.11.236
141.98.6.56 = 91. C&C Server
166.0.95.43 = 91. C&C Server
167.88.164.91 = 91. C&C Server
193.42.32.143 = 91. C&C Server
45.12.253.51 = 91. C&C Server
45.12.253.50
45.66.230.215 = 91. C&C Server
45.81.39.175 = 91. C&C Server
45.81.39.176 = 91. C&C Server
84.54.50.116 = 91. C&C Server
85.217.144.233
aleagroupdevelopment.com = 91. C&C Server
azurecloudup.online = 91. C&C Server
cloudupdateservice.online = 91. C&C Server
devnetapp.com = 91. C&C Server
situotech.com = 91. C&C Server

URLs accessed by Trojan.BAT.COBEACON.AO.dldr
http://104.234.147.134/python/python.zip
https://167.88.164.40/python/python.zip = 79. Disease Vector
http://172.86.123.226/python/python.zip = 79. Disease Vector
https://45.66.230.240/python/python.zip
https://closeyoueyes.com/python/python.zip
https://firstclassbale.com/python/python.zip
https://167.88.164.40/python/unzip.bat = 79. Disease Vector
http://172.86.123.226/python/unzip.bat = 79. Disease Vector
http://104.234.147.134/python/unzip.bat
https://45.66.230.240/python/unzip.bat
https://closeyoueyes.com/python/unzip.bat
https://firstclassbale.com/python/unzip.bat
https://167.88.164.40/python/pp3.py = 79. Disease Vector
http://172.86.123.226/python/pp3.py = 79. Disease Vector
ccloseyoueyes.com/python/pp3.py
http:////bigallpack.com/union/desktop