Malware

Bazar malware is now being linked to Trickbot banking trojan campaigns

riviTMedia Research
riviTMedia Research
malware
Bazar malware is now being linked to Trickbot banking trojan campaignsA strain of malware loader dubbed Bazar, which can be used to deploy additional malware and exfiltrate data, has begun targeting healthcare, manufacturing, IT, logistics and professional services companies across the United States and Europe, according to the Cybereason Nocturnus threat research team. Bazar initially emerged in April 2020 and is distributed through phishing emails exploiting subjects such as the COVID-19 pandemic. It appears to have ties to previous Trickbot campaigns, as it is being delivered through a similar infection chain and reuses associated domains. After initially establishing a bridgehead in the target environment using the loader, the backdoor establishes persistence, letting hackers deploy other payloads such as ransomware, post-exploitation frameworks such as CobaltStrike, stealing data and executing remote commands. The Cybereason Nocturnus team reports that it has found many different versions of Bazar in circulation, suggesting it is actively developed and updated by its creators, who they believe are based in Russia. Bazar malware is focused on evasion and persistence. The malware authors seem to be testing a few versions of their malware and hiding the final payload while executing it in another separate process. To further avoid detection, the Bazar loader and backdoor use a different network callback scheme from previous versions of Trickbot-related malware. The Nocturnus team also reports that Bazar was first seen in April of 2020 and then promptly disappeared for a hiatus lasting almost two months until a new version was seen in June. This demonstrates that the malware's creators had taken time to improve their code to make Bazar harder to deal with. Among other details, changes to some of the original version's more detectable features were made, such as strings that were previously hardcoded, and modifying the known shellcode decryption routine. Cybereason says that while Bazar is still in the development stage, its evolution suggests the rise of a "formidable" new threat in the near future.

A strain of malware loader dubbed Bazar, which can be used to deploy additional malware and exfiltrate data, has begun targeting healthcare, manufacturing, IT, logistics and professional services companies across the United States and Europe, according to the Cybereason Nocturnus threat research team.

Bazar initially emerged in April 2020 and is distributed through phishing emails exploiting subjects such as the COVID-19 pandemic. It appears to have ties to previous Trickbot campaigns, as it is being delivered through a similar infection chain and reuses associated domains.

After initially establishing a bridgehead in the target environment using the loader, the backdoor establishes persistence, letting hackers deploy other payloads such as ransomware, post-exploitation frameworks such as CobaltStrike, stealing data and executing remote commands.

The Cybereason Nocturnus team reports that it has found many different versions of Bazar in circulation, suggesting it is actively developed and updated by its creators, who they believe are based in Russia.

Bazar malware is focused on evasion and persistence. The malware authors seem to be testing a few versions of their malware and hiding the final payload while executing it in another separate process. To further avoid detection, the Bazar loader and backdoor use a different network callback scheme from previous versions of Trickbot-related malware. 

The Nocturnus team also reports that Bazar was first seen in April of 2020 and then promptly disappeared for a hiatus lasting almost two months until a new version was seen in June. This demonstrates that the malware’s creators had taken time to improve their code to make Bazar harder to deal with.

Among other details, changes to some of the original version’s more detectable features were made, such as strings that were previously hardcoded, and modifying the known shellcode decryption routine. Cybereason says that while Bazar is still in the development stage, its evolution suggests the rise of a “formidable” new threat in the near future.

You Might Also Like

Agent Racoon: The Stealthy Backdoor Threat Targeting Organizations

Is OneSafe PC Cleaner Safe?

Uninstalling PC HelpSoft Driver Updater

NSudo Exploitation: Understanding the Legitimate Tool Turned Malware

LitterDrifter Worm: Threat Insights and Removal Guide

TAGGED:
Share This Article
Previous Article Malware News Archive: When Brazil’s four banking trojan families, known collectively as Tetrade, went global
Next Article Fall security tips for staying safe while surfing the Web.
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Stay Connected

Latest News

Ransomware
CACTUS Ransomware Exploits Qlik Sense Vulnerabilities
Ransomware
Colour Cure: Understanding and Preventing Browser Hijackers
Browser Hijackers
malicious website
The Risks of ourhugenewz[.]com and Similar Rogue Websites
Browser Hijackers
ransomware, stop/djvu
Elpy Ransomware: Unraveling the Threat and Prevention Measures
Ransomware