malware
Malware

Bazar malware is now being linked to Trickbot banking trojan campaigns

riviTMedia Research
riviTMedia Research
Bazar malware is now being linked to Trickbot banking trojan campaignsA strain of malware loader dubbed Bazar, which can be used to deploy additional malware and exfiltrate data, has begun targeting healthcare, manufacturing, IT, logistics and professional services companies across the United States and Europe, according to the Cybereason Nocturnus threat research team. Bazar initially emerged in April 2020 and is distributed through phishing emails exploiting subjects such as the COVID-19 pandemic. It appears to have ties to previous Trickbot campaigns, as it is being delivered through a similar infection chain and reuses associated domains. After initially establishing a bridgehead in the target environment using the loader, the backdoor establishes persistence, letting hackers deploy other payloads such as ransomware, post-exploitation frameworks such as CobaltStrike, stealing data and executing remote commands. The Cybereason Nocturnus team reports that it has found many different versions of Bazar in circulation, suggesting it is actively developed and updated by its creators, who they believe are based in Russia. Bazar malware is focused on evasion and persistence. The malware authors seem to be testing a few versions of their malware and hiding the final payload while executing it in another separate process. To further avoid detection, the Bazar loader and backdoor use a different network callback scheme from previous versions of Trickbot-related malware. The Nocturnus team also reports that Bazar was first seen in April of 2020 and then promptly disappeared for a hiatus lasting almost two months until a new version was seen in June. This demonstrates that the malware's creators had taken time to improve their code to make Bazar harder to deal with. Among other details, changes to some of the original version's more detectable features were made, such as strings that were previously hardcoded, and modifying the known shellcode decryption routine. Cybereason says that while Bazar is still in the development stage, its evolution suggests the rise of a "formidable" new threat in the near future.

A strain of malware loader dubbed Bazar, which can be used to deploy additional malware and exfiltrate data, has begun targeting healthcare, manufacturing, IT, logistics and professional services companies across the United States and Europe, according to the Cybereason Nocturnus threat research team.

Bazar initially emerged in April 2020 and is distributed through phishing emails exploiting subjects such as the COVID-19 pandemic. It appears to have ties to previous Trickbot campaigns, as it is being delivered through a similar infection chain and reuses associated domains.

After initially establishing a bridgehead in the target environment using the loader, the backdoor establishes persistence, letting hackers deploy other payloads such as ransomware, post-exploitation frameworks such as CobaltStrike, stealing data and executing remote commands.

The Cybereason Nocturnus team reports that it has found many different versions of Bazar in circulation, suggesting it is actively developed and updated by its creators, who they believe are based in Russia.

Bazar malware is focused on evasion and persistence. The malware authors seem to be testing a few versions of their malware and hiding the final payload while executing it in another separate process. To further avoid detection, the Bazar loader and backdoor use a different network callback scheme from previous versions of Trickbot-related malware. 

The Nocturnus team also reports that Bazar was first seen in April of 2020 and then promptly disappeared for a hiatus lasting almost two months until a new version was seen in June. This demonstrates that the malware’s creators had taken time to improve their code to make Bazar harder to deal with.

Among other details, changes to some of the original version’s more detectable features were made, such as strings that were previously hardcoded, and modifying the known shellcode decryption routine. Cybereason says that while Bazar is still in the development stage, its evolution suggests the rise of a “formidable” new threat in the near future.

You Might Also Like

PracticalProject Adware: How to Remove It from Your Mac
How to Deal With Tracktransit.co.in
Euopue[.]click: A Dangerous Push Notification Scam
Vezaransomware: A Comprehensive Guide to Actions, Consequences, and Removal
LightSpy Spyware: Understanding and Removing the Threat
TAGGED:
Share This Article
Previous Article Malware News Archive: When Brazil’s four banking trojan families, known collectively as Tetrade, went global
Next Article Fall security tips for staying safe while surfing the Web.
Leave a Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Scan Your System for Free

✅ Free Scan Available 

✅ 13M Scans/Month

✅ Instant Detection

Download SpyHunter