Stolen Images Evidence campaign pushes Sliver-based malware

The “Stolen Images Evidence” campaign uses emails generated through contact forms on various websites. So these messages don’t originate through normal spam methods. They appear through contact form submissions describing a copyright violation to the intended victim. These form-submitted messages include a Google-based URL in the message text. This malicious link supposedly provides proof of stolen images that resulted in a copyright violation. Another theme used by this same campaign is “DDoS attack Evidence” which operates in the same manner as “Stolen Images Evidence” activity. Both campaigns push a zip archive to the web browser. Potential victims save the zip archive, open it, and double-click the enclosed JavaScript (.js) file. We’ve covered “Stolen Images Evidence” in a previous diary when it was pushing BazarLoader. Malware pushed by this campaign includes BazarLoader, Gozi/ISFB/Ursnif, and IcedID (Bokbot). A 10 MB malware DLL was saved to the infected user’s AppDataLocalTemp directory. There was no apparent method of persistence, and rebooting the computer ended this particular infection.