Share Blog Post
Origin: April 2020
Alias: BazarLoader, BeerBot, Kegtap, Team9Backdoor, BazarBackdoor
Infection Vectors: Spam Emails, Phishing
Targeted Sectors: Information Technology, Entertainment, Healthcare, Manufacturing, Logistics, Travel, Professional services
Targeted Regions: Eastern and Western Europe, North America
Motive: Data theft
Threat Level: Very high
Introduction
BazarLoader, written in C++, was first discovered in April 2020. The malware loader has been continuously evolving with unique modules, allowing its operators to deploy additional malware, ransomware, and stealing sensitive data. The distribution and post-exploitation activities of the loader are akin to the Trickbot malware. The malware is named BazarLoader since it uses Blockchain-DNS and Bazar domains for communicating with the controllers. More often, the names Baza or BazarLoader are used interchangeably to recognize this malware family.
Infection vector/The Timeline
BazarLoader is known to spread via phishing emails that purport to stem from legitimate sources. For instance, a malicious email may be disguised as payroll reports or lists of terminated employees. Clicking on the malicious link to documents can redirect the targeted victim to malicious landing pages resembling Excel sheets, PDF, or Word documents. In April 2020, a campaign was discovered using customer complaints as a lure to trick victims into clicking on malicious links.
In October 2020, the BazarLoader operators were spotted delivering the infamous Ryuk ransomware aimed at high-value targets. In one such campaign, the operators behind BazarLoader were seen deploying a Cobalt Strike beacon to obtain remote access. This is further used to install post-exploitation tools—such as BloodHound and Lasagne—for mapping a Windows domain and extracting credentials. The same month, Baza operators came up with another phishing campaign taking advantage of people’s curiosity about President Trump being infected by COVID-19. The campaign targeted hundreds of organizations in the U.S. and Canada. In yet another event, attackers hijacked the Zerologon vulnerability (CVE-2020-1472) at Basecamp as part of malicious phishing campaigns and obtained access to the primary domain controller. The next month, BazarLoader attackers abused Google's free productivity tools and services to steal credentials or fool users into installing malware.
After being in hibernation for almost three months, the malware returned in March this year. This time, the BazarLoader operators collaborated with underground call centers to manipulate victims. Actors used lures related to offers, free trials, subscriptions to IT, medical or other financial services in email spam campaigns, encouraging them to call a phone number. Intel471 revealed in a report in April that cybercriminals have been increasingly using a malicious document builder in the underground marketplace called EtterSilent. According to experts, the Bazarloader team had used the malware builder to exploit the CVE-2017-8570 vulnerability on March 19. Furthermore, BazarLoader used several business-themed social engineering tricks, targeting employees of large-scale organizations via Slack and Basecamp platforms. The phishing emails claimed to enclose important information related to contracts, invoices, customer service, or payroll.
In another campaign, they created a fake movie streaming service, BravoMovies, with phony movie titles as a landing page, which could install the BazarLoader malware. In July, the attackers were found using nested archives (RAR and Zip) to bypass the Secure Email Gateways (SEGs) and deliver BazarBackdoor.
Ties with Trickbot Operators
Experts underlined that BazarLoader malware avoids detection by abusing digital certificates, as also noticed with Trickbot and Anchor malware, previously. Various reports have laid out similarities implying a strong connection between these malware actors. For e.g. similar phishing and decryption tactics. The use of revoked certificates to sign malware; repurposing domain (e.g. machunion[.]com, bakedbuns[.]com); use of deceptive file icon and; Google drive previews, to name a few.
- The use of similar decryption routines in the Bazar and Trickbot loaders, such as the same custom RC4 implementation, WinAPIs, API-Hammering has been observed in separate campaigns.
- The reuse of compromised domains to host BazarLoaders that previously served Trickbot loaders provides more hints on their connection. A domain, ruths-brownies[.]com, was employed in the Trickbot campaign in January, which later hosted BazarLoader in April 2020.
- The backdoor C2 in either campaign case has instances of the .bazar domain, which altogether establishes a strong connection between the two groups.
- Notably, the Emercoin (.bazar) domain has been used in Trickbot infections spreading Anchor malware since December 2019.
Steps to Mitigate the Malware
Successful prevention from BazarBackdoor needs the implementation of plenty of technical and organizational measures such as deploying SEGs and outlining incident response policies. Organizations should focus more on anti-phishing solutions, firewalls to block malicious connections, reliable antimalware with behavioral monitoring, and email gateways to block spam emails at the initial level. To say the least, organization leaders need to conduct information security awareness training for staff at regular intervals and ensure that phishing messages are detected at the earliest.
Conclusion
One must not underestimate the highly sophisticated and advanced BazarLoader malware. The ability of the operators to frequently update their malware with several modifications and their connection with Trickbot operators make this malware more dangerous than others. The operators of BazarLoader have a well-established reputation with the Trickbot malware. Now, they might be planning to engage in a variety of experiments with the BazarLoader by leveraging the tricks and techniques they have under their sleeves. This requires organizations to stay vigilant and proactively defend themselves against such threats.
Indicators of Compromise
BazaFlix
Domains
urbancinema[.]net
bravomovies[.]net
bvcinema[.]net
IP
47[.]91[.]77[.]83
8[.]209[.]65[.]249
8[.]209[.]92[.]183
8[.]209[.]75[.]180
8[.]211[.]4[.]26
8[.]211[.]6[.]4
8[.]209[.]67[.]183
47[.]91[.]74[.]88
176[.]111[.]174[.]60
URLs
hxxps://18[.]237[.]242[.]195/g1_262/bt_64_g1_262
hxxp://noise1[.]xyz/campo/n/o
SHA256
9663dc275239aa93ceccedae7a0d54e10def18dd177d231264a323a4175a23d4
BazarCall
SHA256
f3b5cf1e40aed4567a8996cf107285907d432b4bc8cc3d0b46aae628813d82d4 0404cb08ca7bce5b44670d8871e626a70d03d18a48efdaeb8bb5cde45a5beb71 0fb0c5adab8984099449d207c2513cdd18d62d795e761cf4d3a70df6b2a0973b
18d9495e87fc7a32eb732894d813aaddece492d80e54375dbf149fb30553ea95
1eba154cdc2e540704eebfaca2f51fb643c44129911eb9b668f82ab95c1b157d 210c46aae3d71ecbac79447d124d895dded804c08342b17258cd4b400b0bebe0 291c573996c647508544e8e21bd2764e6e4c834d53d6d2c8903a0001c783764b 2e5275c35b262674705f3c2bd6becc80a067f2660798881d0f5344ac97bd592d
2fe32b0f648bfe69c9873c7a57a62358057eab750a081f9285c11e94327c42d6
3b90a0400e326fe9249c6829be0fb43d64dabe38fbe903109f29c53899e74f5d
3dbab512123a36954684474e9a9f5502aa9edf0228a4df8f0cb33e328890d33b 33eab464bca9b39b6c4457cf44320e2e70363a3581bd9b81bca93bca0c63e5d4
42edefa09a3d85a3d4284f6ef57691c8b409ac00da21c799ae14b1adf17435f0
42f597a7b0c1df670bb5d8f7d123fc923cacdc06a1a5fbfa325fc8598a895b02
4435942b9f09846a337474f396fd0a885f41742f05899dcc1a12b6b44a31126b
4dc24a8bc92ce652fe90d90cfa7e1a9b4758955c79789daae6db825cbd1950a8
536d1a135f6f0a9bc337108a2b10ce81515c5bc26b654ec9f8e4b5e53d06c959
5b05cae0880543c3adc28a2d5a45af4931de6d2b4197d2d3c26e4471dd4cf2a8 65b652b99cd7ed6bd82bd0f258b03a483e0da9f3314b67fe9728eca76c3d59a2
98cbdd45b45679061e3a3741cc2a32ef8abbc599de118a4604cff54b528cdaf3
adeab1a6529802e60f8cab213a29de3cb46f249e2cab8d7c9a7c16ccd8541a9d
c51bf8c74311b8941dca2f63a0850e61c1058af6af0ac42d81c2d85cd64d37cb
dfbd75635b50926cf864349f436e8baf625881c2fd8cf9267d277d0b11dcc90b
efb6ef1dffa3bc6f3b7796be4f5681b9da6a243b09029c2381b4009bf6b6eb3d
fb94f0c62b1eb990c2c39413cda78b45690e275aceb85af58bb84c887fc4bb67
2632c0cc222a6d436b50a418605a7bd4fa8f363ab8d93d10b831cdb28a2ac1bc 2632c0cc222a6d436b50a418605a7bd4fa8f363ab8d93d10b831cdb28a2ac1bc
01fe11c86a69bca1d91f1d6f3aa776bd7871c57973e6f98915f60dd514ddd913
056809e596895320397378f7f3ff4958107e48f4890a960229dcfbc32b7379b7
0606be9a1e3e32dc452cdd0ee48c3cecdb045545fa01789f580c197cefd220a4
06c38b4c73015d04536d80262bb531183bead459371dd6db86a40dfccbdf236a
0e266ef60c8059c2c828de3e77fd68a49e50626d7b0d4d659afd03806247d5bc
13141db5db00c63f5f7a2cd33f35d9236956f9ae7767725564693dbab6b14f10 151308d22127e12066636627acb269e6ac71aa99cca1ac9dd00b582de3b5e0cd
15a1cd485f5b09fa05c46ec81d7eaaaa1e71bfd3b19e3465f555704dbfadce31
1681ae715209131c86f885453e3abd627de1edab974294b73789dfd396d2793e
16bfc0c0fcb0ccb6bb27cdc4178d08538c0b18c146d93a3a44be5fb15d8d43cb
1c293c65680d01a8503c477f7d8f46cfbc62ce4fa6e507a4c0ae7436f33efa08
204ddd2c357d7d5a5d30761f2da8363a3d26e1717e90ccc69b00b7be456f4092 20cd67833a009771483fed52ad8450d1614df7843715eb67250dd605780d1e8b 227b402fe1ad5c40edd6385590dd22add3e493be6c90c813786a1d2a92c5508b 27cbaa0a743ded5ed298ba18bb2bca3c9cf605a9d75f7168ea7cc00ac54687b2
2ae9a949242e7691ea1df0475a0f266118dc382fd27350b575473d9da9d9fc1f
2c9787310c6307f1d169c5dff44455a52a5da01681b45f6ad9c382334c431400
2fcc02b25bfccda87b03b1149eeb22379abb5b00f2ea474151979f87ee6a8289
3369c4b31d3b5904783ee651d94d78995aa8ac2d6d4b52bc455c17c75845efbd 391c2301f9c1b27b489b78bac987e2e61e7923da1342941f3f52618e2d1ee1f8
39e79fa4dffb5d3c4099ccd77f9a889a7a0179948862790aeba79c69ffeb8582
3a274a44ca7e8c943f9a2d1995d97582886d8f9684b7d5c5b51625f9f833d7ec
3eda5bc62ee17d2ba137c4253eacfd9f96926ec071eb583777935c084cdcb604
403e6317c3ef24bdacd6ff265a5b93cf43361398cba8918af459fb7072fd8ceb
413ca9be6e90c35d5e680ea00891976673cd22446ca31c3dc4e678356737d75c 43af28b1e4057888f074b01ddce13b6445b530cf70741d3e3bb65a712dc58775
461172b3e91e48945f91e7cb507f02d391bee5b2736ab33ef87c4068da99cabf
4d1c7b33d3dd2ec8187bf29971a3785a9103a4dbd97cad37d6fd16f4dc761c0a
4e58b94d857970b01c70e8fb4c68c99a409c5eb105e286f521325eb209e19a59
580436ddf51ed876d2e1547047288b0640bfd7570ffd7a2ef9074b116ad5f823
5b6e4db97888c248d70e6a2ecfe4967b5bb3ffba3e73fc04fcc91da8afe37f81
5c03e5522fb03bc224b51be1206728e4cfc5ab6b5a45555c455819e8b5006356
5c7a7b0b29a2f51eca70e25936b2f88570b44b0aef504d07b208621df0022103
5ee9bc24c82ee40e1a9f98aff8e36388ccea92a9423539e13b927291bebede72
6529aee58be4346065cf8f5166c49ecd7dbecfeb179092d0ba9ee4fecbbb0f8d
67b5ef18a2155a91980d6ecd5ce2fb73242b47921715095565ba5e7d97922aa6
683cf783dffa8ce135496f8f5017fc06268c57874ad79267cb52dfc202dfc3bc
6d6ff6f138defb2bb7602c08c1cb22930f5e30ef264eeaf760f99d4ca95beca7
701ff2df2c26f4ec31eb39074e0f7da97ad9f8e7e0877558571148db64a343cf
7235083a31014473c9a538e102efd9b9549ac454f99a5f8b2c36ccfc69045f0c
739a35cdd227b78b2a3f49dff22b9185df7b6da1336dccd0c6f552ae0767397c
825e158ac8c57cee3a2d12ba062633e7a955e20d438b6b1b89c435181586a0ef
8300b9b7de6fd356541b30ed343c00235bf38fbcbe2325ecd4b6f06b2b711f03
8a6adc186c65c1db9026fa07e02e813e059a1463fc89b05c4440e2ddb143bd46 8a9014b5a7e0975e760ebb41b5d6cac6e76bf1b3b5c2cb0dfebd94e577a6940b
8c39b5dd896e4b7163f0c9f27b3ecde4435fa98666cd6e8e1f0a7df73ed757f7
8c908237c4354e3f96af0944dc84fd1d503827226f914a5e711f5415b1cec156
8ca38418522c7797e0e2fcf8649b3adb64b70f9ad547f7cdc53a55cacacc0b4e
931a10977e46a3a1c810c1e3dad558b511a8fc75bd30e2eb3ffe292428f99847
94ab1b1ca2123fccd39b956c9216f53ba56c012553281801d4af035dc1644569
95330c3095995c4e018936438d2f6da39cd55d29c52438c8042d39118ac81dc9 95c9b5f666e90730d21e342aeac6f101d9c624ace3bd4e8bd7d5d9c541094283 98a54d72539d50134f8e95fb95d3807502ca50c2f27990a220c78432a799d461
9aa42472f59e5558987ce477e257fdccd61080d4278fe9a92f1c50bda11e4f0f
9b04a00b4d03c84705efdee3a1d6290894de48ead187eb5c7a43b46eb51e531c
9cc79e32ca74fea9e6a9ed7ab09abfa33d0fb2c3ef8752baed056de05f4b2de6
9d6581dbec6c8f74f2d999b5b72a8d8f515bd71c1d0966754374b8a16d3c4bd7
a05ec823e486a21a5cea8811115ae750c9796f918228566463ed9a9f712238c7
a144bdfb007c72eaab61f424725107366747afc2252675e2a8992401f581f2b5
a14e4ee9f2967d2189e7b725cbb7156a5132f55e96ce6497ac0a582d3a696510
a839e6e8570d4e836ef03ced53d77217cbd3f08558582733da8f60b0a0e6fa83 aae2cf00546070edda9898e8439236bb06001d46d2649d8a859a5952bb5229dd b17773d67198e8ca31b2029789fdbf034dbe7d65e3425dae9c02638fd1da33ee
b4631d97013e59555487c6c4c93798dd044e8268858eb031f6c324039cdff962
b4b5161dbce88e4f35a58921fa4e81b9231e2ab92d6e80091bfd9ef4574ef822
b4d956e037fd49630847b92997906c14d76513ae2f00ffe8ba40d9fd5dae98ad
bb9387320d69ddd3e4cd4586ae85ffd672d241d112e0199eeda0e59634aea4b0 bc604d1564b8b0360eb316b6d330d069dd887875db3d1c0cc1e6e8b6d044fa84 bcfd5b1ab6019b320a299ec62374df157162116b7ab76d2dd852075b2df36d06
bd24cfc76889b7ec1331547e30f047f3f9b39047bc749e99674262dee07bc8b2
be0466432cbd09f14c01975d9cbf24ce3539fd245918bd1b567d3cdda8f76324
c1d2ac7f3abee76af28e858f9d9b5c26bd121bc298280f44cb06e00951cb28d7
c242a240f6836d70944d4810c9fbc4b2ee7221c5938f483d1ab8579955a4c78f
c76bb9443baff9e799b3b1cd7c4bd18759ff17acf50f2c3e6f9970caf3015a8f
c8d4265b3762f38162e9b93563bccf603081de769b9c5c38d41b65872d0c944c
cd0332bed798951f6e1635b6169e07c41138323490e52fa9f674b6a113156a34
ce8fa7b1fbc88467678f3d2877c5580a5bf310cc489536a3aaef3f9b8d1db992
d021f3c83a2fb22da832e301962d63c695194907ab415d0b978858699e22952a d4723b2d858287cb8c01f64a00970f089be96ad886e83a1da38e84325fc9b886 d49953673284c656971ba15caf8a1cc07902ae972836bd282a20aca916d15e45 d8bcb2ec7da1dd5ea941807b790aa7dfdab9291e1cdc80fee3dc1d6e3b6981e2 d92bf3350a4b310ab6b7d295a0d1727155ec6d669b2da021c91aa9b565593a7b d969d06464b2c8eab75bf45e650020cc88add0bc947643dd24d69bbf34481906 db53f42e13d2685bd34dbc5c79fad637c9344e72e210ca05504420874e98c2a6
df38d84cefcaf27b357bf0c678ab22531d5e2886658f5482e9ace04a315828e6
e335e27175c66affc5c2b571878757b35642699b70250c4221800e47356d4b59 e4782e0fcb58e3643a293e9792be9d33b2147c96824c110105a198602c587d47 e8c6014607b1160a2efa1ebc35f71e73e7e08c1e027d8128d985729b61c3d203
ecf5a6e4dfd2bc3a9a659699ee03e6c5ebcbd3252664245761f1594044f0c5fa
f2853ce6b6515446daf068272aba80c2c059f2c20e197f32060b9baf6bbd17a2
f3badf0a258410c281afe6ac253cbd48b1b4be6a656db60813131a3025cd8d11
f6391f0bb648e3821d88179b2f76426197961c739b7ad88329a91d5a1328cc61
f8662af41f8a99a17220a0181c3d4c5fd82ca6b522c5da4856f03accf3838a72
fc3d3e2e605e76289cecb3612bd000471e613bf8841cc4e9c6b9f47b527a3d6a
fd93b2dd5067d6933d9d06878c75b53bdba8756f092c4ccb1e9ce881bb1ec85c
fee876283fdd75a8ea08d19c15e9c78755a8cc3135d157609097d2b249e0e7fc
00d71bcfe0af23d653b79a363683e918cdc6bbc297c7b5e16890d4d4bc7a249d 0f79a049b29bbadaec6b24f9dc847ce39843b01ab50a10e878970b41b6d702a3 37d298ab9d815c7ec02ac0a304e114ddf1b27593f522dd881de094ab753ef33a
47b1f63e7db1c24ad6f692cf1eb0e92dd6de27a16051f390f5b441afc5049fea
7aa4cb052ddfbccac10bdfeae585f15fa4bfbeadea5ece649234fcbc9fec2955
93cc5e6a6b671d9b0124ade32ae8b09269de9f03c5c5e66347fbfc7a8c3b305e
93db19c454405ef70de2ead0a3b2158e0d8cc8c3bb663c3af15a0df1b008fc53
c63683a48bafacd5adf8814244142263f3b1033d053d50b93cc1f479b7dba98c
ccd3071d4ffeee6bb62ae5b30e1fcc593fbbd97577581105e989c0da930d7768
df16b3c76350f340988759cc21a78a7cf16831f08e95eb7592b86942859f863a
f3b5cf1e40aed4567a8996cf107285907d432b4bc8cc3d0b46aae628813d82d4
Mail servers
52[.]151[.]9[.]80 ([52[.]151[.]9[.]80])
localhost ([18[.]209[.]29[.]210])
4klever[.]com ([87[.]251[.]88[.]11])
4room[.]net ([87[.]251[.]88[.]13])
51qxct[.]com ([101[.]36[.]112[.]175])
aa[.]beachhouseak[.]com ([137[.]74[.]254[.]3])
audiovision1978[.]com ([70[.]166[.]227[.]250])
asia-firstnews[.]com ([159[.]89[.]192[.]216])
bb[.]theabayevgroup[.]com ([31[.]42[.]191[.]41])
brasiliaeletronica[.]com[.]br ([47[.]91[.]185[.]206])
cc[.]billfriar[.]com ([109[.]201[.]140[.]122])
casahome[.]cc ([103[.]43[.]160[.]123])
cycling[.]informationholiday[.]com ([147[.]135[.]87[.]18])
demo[.]badt[.]vn ([123[.]20[.]172[.]64])
dev[.]sebpo[.]net ([202[.]53[.]167[.]144])
furniture[.]aoyalab[.]com ([147[.]135[.]87[.]18])
hkclmy[.]com ([101[.]36[.]112[.]175])
hrmvietnam[.]com ([45[.]119[.]212[.]28])
huskywelpeneite[.]com ([173[.]82[.]255[.]222])
ibest[.]com[.]br ([50[.]87[.]144[.]194])
jbisng[.]com ([70[.]35[.]200[.]131])
koreasaudi[.]com ([59[.]25[.]184[.]69])
levetop[.]ltd ([158[.]101[.]155[.]5])
lo[.]arizonalandauction[.]biz ([38[.]107[.]221[.]74])
m12-11[.]163[.]com ([220[.]181[.]12[.]11])
mail[.]irip[.]ac[.]ir ([194[.]225[.]133[.]41])
maya-med[.]com ([87[.]251[.]88[.]54])
mbrsoft[.]com ([87[.]251[.]88[.]9])
mechanicel[.]com ([87[.]251[.]88[.]55])
monkey[.]interdon[.]net ([193[.]178[.]236[.]141])
murkinson[.]com ([87[.]251[.]88[.]57])
naparniki[.]com ([87[.]251[.]88[.]56])
neru[.]sakha[.]ru ([79[.]133[.]68[.]4])
news[.]bannawag[.]com ([45[.]129[.]96[.]196])
portalpapoaberto[.]com[.]br ([104[.]248[.]73[.]124])
primetelecommunications[.]com ([101[.]36[.]112[.]175])
remindsends[.]com ([87[.]251[.]87[.]228])
sports[.]informationholiday[.]com ([147[.]135[.]87[.]18])
ss[.]bungalowak[.]com ([137[.]74[.]254[.]44])
ss[.]white-dolphin[.]org ([108[.]62[.]12[.]5])
ss9ss[.]com ([103[.]229[.]183[.]245])
tents[.]alynamic[.]com ([147[.]135[.]87[.]18])
toobatel[.]com ([217[.]218[.]171[.]100])
ty[.]thewalkingpoet[.]org ([46[.]166[.]128[.]150])
uatdelightfoods[.]in ([172[.]104[.]188[.]146])
vancualat[.]com ([103[.]18[.]7[.]65])
vf[.]marigoldproductions[.]com ([46[.]166[.]128[.]151])
virjehschool[.]com ([78[.]157[.]40[.]211])
xieliling[.]com ([106[.]75[.]176[.]225])
xx[.]streamyoursport[.]com ([194[.]15[.]113[.]193])
yy[.]onlinelandauctions[.]biz ([38[.]107[.]221[.]80])
zhangjiwen[.]com ([120[.]48[.]19[.]251])
Emails addresses
Abram Nelson <zaqupy@zhangjiwen[.]com>
Admin Order <sender@naparniki[.]com>
Admin Order <sender@remindsends[.]com>
Alejandro Baker <kitijuci@toobatel[.]com>
Alejandro Foster <deconuhi@tents.alynamic[.]com>
Amos Porter <sender@naparniki[.]com>
Andrew Cummings <sender@naparniki[.]com>
Ann Nichols <sender@mbrsoft[.]com>
"Bookspoint" <no-reply@worldbookpoint[.]com>
Brody Clark <wikotedupo@portalpapoaberto[.]com.br>
Charles Oliver <no-reply@worldbookpoint[.]com>
Claud Watson <sender@naparniki[.]com>
Connor Garcia <lidov@neru.sakha[.]ru>
Cuthbert Cook <sender@naparniki[.]com>
Edwin Barnes <wecaco@virjehschool[.]com>
Eric Romero <no-reply@bookspace[.]com>
Ezekiel Moore <nusilyzu@levetop[.]ltd>
Fidel Thomas <syderevigiqape@virjehschool[.]com>
Fischer Brooks <qejoxu@toobatel[.]com>
Fitzgerald Richardson <qiuzhi2012lyw@163[.]com>
Gerald Wright <takara_c@ibest[.]com[.]br>
Giovani Griffin <gysowyxu@furniture.aoyalab[.]com>
Gunner Collins <carlosroberto@brasiliaeletronica[.]com[.]br>
Harry Stewart <bitebo@demo.badt[.]vn>
Holden Collins <vagijacy@portalpapoaberto[.]com[.]br>
Ibraheem Morgan <vysuzibehewive@toobatel[.]com>
Israel Kelly <lynysutobu@toobatel[.]com>
Isidro Flores <zopixizo@portalpapoaberto[.]com[.]br>
Jaxson Nelson <zedelagisolagu@portalpapoaberto[.]com[.]br>
John Ross <no-reply@worldbookpoint[.]com>
Jorge Miller <no-reply@worldbookpoint[.]com>
Justina Berry <sender@murkinson[.]com>
Gilbert Long <lavydamuqovebo@levetop[.]ltd>
Lawrence Smith <no-reply@worldbookpoint[.]com>
Lincoln Sanchez <juzuhafutyze@furniture.aoyalab[.]com>
Lionel Bell <qaceji@hkclmy[.]com>
Mark Jones <no-reply@bookspace[.]com>
Peter Lane <no-reply@bookspace[.]com>
Order confirmed <sender@mechanicel[.]com>
Paolo Turner <vikyrupo@huskywelpeneite[.]com>
Quang Ramirez <javidankherad@irip[.]ac[.]ir>
Quinton Perry <cipelymu@dev.sebpo[.]net>
Remington Smith <cejopy@vancualat[.]com>
Rex Jackson <zawyxigucyby@ss9ss[.]com>
Rhys Rogers <xuzeko@hrmvietnam[.]com>
Ronald Collins <bunonohyhe@uatdelightfoods[.]in>
Ruben Johnson <zovivuvexipume@virjehschool[.]com>
Russell Smith <memevexyca@jbisng[.]com>
Saul Miller <conipygu@virjehschool[.]com>
Scott Martin <order@bookplace[.]com>
Stanley Perry <megupecuvi@casahome[.]cc>
Stanley Price <no-reply@bookspace[.]com>
Sylas Hill <tulene@audiovision1978[.]com>
System Admin <sender@4klever[.]com>
System Admin <sender@4room[.]net>
System Admin <sender@maya-med[.]com>
System Admin <sender@murkinson[.]com>
System Admin <sender@remindsends[.]com>
Tomas Jones <tynenu@xieliling[.]com>
Trenton Williams <jwillardjr@primetelecommunications[.]com>
Uchechi Campbell <hydasypatedi@hrmvietnam[.]com>
Usman Bell <dawaze@51qxct[.]com>
Vance Peterson <vylile@hrmvietnam[.]com>
Vincent Simmons <gysugeco@localhost>
Virgil Williams <no-reply@bookspace[.]com>
Von Taylor <kityjuli@dev.sebpo[.]net>
Wallace Peterson <cyvopa@asia-firstnews[.]com>
Willem Hall <juviky@sports.informationholiday[.]com>
Xandro Kelly <beditu@52.151.9[.]80>
Xaviell Simmons <jiqysizupadu@casahome[.]cc>
Xavion Howard <bufagagolyfesu@hrmvietnam[.]com>
Yakov Alexander <ryviheky@hrmvietnam[.]com>
Yakov Mitchell <savuxiqizy@koreasaudi[.]com>
Yehoshua Moore <qyrezoquco@zhangjiwen[.]com>
Your purchase <sender@naparniki[.]com>
Zackery Stewart <dpaulamotos1@ibest[.]com[.]br>
Zeke Adams <vuvuwe@cycling.informationholiday[.]com>
Fake websites
bluecartservice[.]com
bluecartservices[.]net
bookpoint[.]us
bookspace[.]us
bookspoint[.]us
bookworld[.]us
buyimers[.]us
ebookreading[.]us
ebookstoread[.]us
ebookworld[.]us
geticart[.]us
getmers[.]us
gobcs[.]us
goimed[.]us
icartservice[.]app
icartservice[.]net
icartservice[.]org
imedservice[.]app
imedservice[.]net
imedservice[.]org
imerservice[.]net
merservice[.]net
merservice[.]org
pointbook[.]us
pointbooks[.]us
readebook[.]us
readebooks[.]us
subsbookpoint[.]us
worldbookpoint[.]com
worldbooks[.]us
worldebook[.]us
Tags
Posted on: August 12, 2021
More from Cyware
Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.
The Virtual Cyber Fusion Suite
