In late April, developers of TrickBot used a new stealthy backdoor in a phishing campaign targeted at professional services, healthcare, manufacturing, IT, logistics, and travel companies across the United States and Europe. Many advanced threat actors including the infamous Lazarus APT use TrickBot’s services, and malware authors not only improve well-known tools like the Anchor malware framework but also create new ones such as Bazar Loader (aka BazarBackdoor or Team9 Backdoor).
Adversaries mostly use Bazar Loader to gain a foothold in compromised enterprise networks. The researchers named this malware strain after the C&C domains with top-level domain .bazar. This TLD is provided by EmerDNS, a peer-to-peer decentralized domain name system in OpenNIC, and it will be very difficult, if not impossible, for law enforcement to take over these domains. In early versions of BazarLoader TrickBot authors used a handful of hard-coded domains such as bestgame.bazar, forgame.bazar or newgame.bazar, but recently discovered sample tries algorithmically generated domains.
Ariel Millahuel released new community threat hunting Sigma to detect the malicious activity of Bazar Loader in organizations’ networks: https://tdm.socprime.com/tdm/info/QDvyH85txiBA/4gdopHMBPeJ4_8xcJWjN/
The rule has translations for the following platforms:
SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, Logpoint, Humio
EDR: Microsoft Defender ATP, Carbon Black, Elastic Endpoint
Techniques: Command-Line Interface (T1059)
We also want to draw your attention to a couple of exclusive rules released by the SOC Prime Team to detect this malware:
Team9/Bazar scheduled task name (via audit) – https://tdm.socprime.com/tdm/info/efOdljfHf6Qk/THlyvHIBPeJ4_8xcOJZg/
Team9/Bazar batch filename pattern (via cmdline) – https://tdm.socprime.com/tdm/info/51onXdAhOkLs/sE9tvHIBSh4W_EKGAAjz/