A strain of malware loader dubbed Bazar, which can be used to deploy additional malware and exfiltrate data, has begun targeting healthcare, manufacturing, IT, logistics and professional services companies across the United States and Europe, according to the Cybereason Nocturnus threat research team.
Bazar initially emerged in April 2020 and is distributed through phishing emails exploiting subjects such as the COVID-19 pandemic. It appears to have ties to previous Trickbot campaigns, as it is being delivered through a similar infection chain and reuses associated domains.
After initially establishing a bridgehead in the target environment using the loader, the backdoor establishes persistence, letting hackers deploy other payloads such as ransomware, post-exploitation frameworks such as CobaltStrike, stealing data and executing remote commands.
The Cybereason Nocturnus team reports that it has found many different versions of Bazar in circulation, suggesting it is actively developed and updated by its creators, who they believe are based in Russia.
Bazar malware is focused on evasion and persistence. The malware authors seem to be testing a few versions of their malware and hiding the final payload while executing it in another separate process. To further avoid detection, the Bazar loader and backdoor use a different network callback scheme from previous versions of Trickbot-related malware.
The Nocturnus team also reports that Bazar was first seen in April of 2020 and then promptly disappeared for a hiatus lasting almost two months until a new version was seen in June. This demonstrates that the malware’s creators had taken time to improve their code to make Bazar harder to deal with.
Among other details, changes to some of the original version’s more detectable features were made, such as strings that were previously hardcoded, and modifying the known shellcode decryption routine. Cybereason says that while Bazar is still in the development stage, its evolution suggests the rise of a “formidable” new threat in the near future.