Detection Content: Bazar Loader

This fall has brought another challenge to the guardians of corporate infrastructures. Earlier this year, in late April, developers of TrickBot used a new stealthy backdoor in a phishing campaign targeted at professional services, healthcare, manufacturing, IT, logistics, and travel companies across the United States and Europe. Many advanced threat actors including the infamous Lazarus APT use TrickBot’s services, and malware authors not only improve well-known tools like the Anchor malware framework but also create new ones such as Bazar Loader (aka BazarBackdoor or Team9 Backdoor).

Recently, the Bazar loader was noticed to deliver Ryuk ransomware to high-value targets. Researchers say that based on reported response cases the malware successfully achieves its goals due to its stealthiness and obfuscation capabilities. In their recent activities, hackers adopted certificate signing which is popular with APT groups, adjusted their phishing attacks, and extended their malicious toolkit. The latest attacks show that the hackers leverage vital pain points of victim companies’ employees to achieve their goals.

Bazar loader malware uptick

Bazar malware is a malicious loader that hackers use to infect victimized machines for further collecting sensitive data. The new advanced malware strain also obtains a backdoor functionality for delivering another malware. Adversaries mostly use Bazar Loader to gain a foothold in compromised enterprise networks. The researchers named this malware strain after the C&C domains with top-level domain .bazar. This TLD is provided by EmerDNS, a peer-to-peer decentralized domain name system in OpenNIC, and it will be very difficult, if not impossible, for law enforcement to take over these domains. In early versions of BazarLoader TrickBot authors used a handful of hard-coded domains such as bestgame.bazar, forgame.bazar or newgame.bazar, but recently discovered sample tries algorithmically generated domains.

Bazar Loader and Backdoor Capabilities

The TrickBot hackers have refined their toolset for the recent campaign. Using the SandGrid email platform, they reached out to personnel of the victimized organization with a phishing email that looked like an official letter from a Human Resources representative about employment termination. The phishing attachment lures a victim to follow the link and open the attached Google document with information about fake firing. The victim is redirected to the URL and thus opens the way to the Bazar or sometimes Buer malware. As the following step, the Bazar backdoor is downloaded.

The attack researchers also noticed the fact that the backdoor also delivers the Cobalt Strike toolkit, which allows the hackers to utilize the obtained corporate networks’ weaknesses for their own advantages, as well as use it as an article of commerce.

The malware aims at avoiding any possible detection and cleans itself from the system after successfully compromising the victim.

Bazar Loader attack detection

Active members of SOC Prime Threat Bounty Program published Community Sigma rules for detection Bazar loader malicious activities.

Emanuele De Lucia released Sigma rule Detects Wizard Spider / Ryuk ransomware implants through CnC beaconing

Also, Osman Demir published Ryuk and BazarBackdoor Sigma rule to spot the latest strain of Bazar attack.

Earlier, Ariel Millahuel released new community threat hunting Sigma to detect the malicious activity of Bazar Loader in organizations’ networks: https://tdm.socprime.com/tdm/info/QDvyH85txiBA/4gdopHMBPeJ4_8xcJWjN/

The rule has translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, Logpoint, Humio

EDR: Microsoft Defender ATP, Carbon Black, Elastic Endpoint

MITRE ATT&CK: 

Tactics: Execution

Techniques: Command-Line Interface (T1059)

We also want to draw your attention to a couple of exclusive rules released by the SOC Prime Team to detect this malware:

Team9/Bazar scheduled task name (via audit) – https://tdm.socprime.com/tdm/info/efOdljfHf6Qk/THlyvHIBPeJ4_8xcOJZg/

Team9/Bazar batch filename pattern (via cmdline) – https://tdm.socprime.com/tdm/info/51onXdAhOkLs/sE9tvHIBSh4W_EKGAAjz/

Ready to try out SOC Prime TDM? Sign up for free. Or join Threat Bounty Program to craft your own content and share it with the TDM community.