1. Home
  2. Software
  3. Bazar

Bazar

Bazar is a downloader and backdoor that has been used since at least April 2020, with infections primarily against professional services, healthcare, manufacturing, IT, logistics and travel companies across the US and Europe. Bazar reportedly has ties to TrickBot campaigns and can be used to deploy additional malware, including ransomware, and to steal sensitive data.[1]

ID: S0534
Associated Software: KEGTAP, Team9, Bazaloader
Type: MALWARE
Platforms: Windows
Contributors: Cybereason Nocturnus, @nocturnus
Version: 2.0
Created: 18 November 2020
Last Modified: 04 December 2023

Associated Software Descriptions

Name Description
KEGTAP

[2][3]
Team9

[1][4]
Bazaloader

[5]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1197 BITS任务

Bazar has been downloaded via Windows BITS functionality.[4]
Enterprise T1047 Windows管理规范

Bazar can execute a WMI query to gather information about the installed antivirus engine.[1][6]
Enterprise T1005 从本地系统获取数据

Bazar can retrieve information from the infected machine.[1]
Enterprise T1036 .004 伪装: Masquerade Task or Service

Bazar can create a task named to appear benign.[1]
.005 伪装: Match Legitimate Name or Location

The Bazar loader has named malicious shortcuts "adobe" and mimicked communications software.[1][4][3]
.007 伪装: Double File Extension

The Bazar loader has used dual-extension executable files such as PreviewReport.DOC.exe.[1]
Enterprise T1573 .001 加密通道: Symmetric Cryptography

Bazar can send C2 communications with XOR encryption.[4]
.002 加密通道: Asymmetric Cryptography

Bazar can use TLS in C2 communications.[7]
Enterprise T1568 .002 动态解析: Domain Generation Algorithms

Bazar can implement DGA using the current date as a seed variable.[1]
Enterprise T1140 反混淆/解码文件或信息

Bazar can decrypt downloaded payloads. Bazar also resolves strings and other artifacts at runtime.[1][4]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

Bazar can create or add files to Registry Run Keys to establish persistence.[1][4]
.004 启动或登录自动启动执行: Winlogon Helper DLL

Bazar can use Winlogon Helper DLL to establish persistence.[7]
.009 启动或登录自动启动执行: Shortcut Modification

Bazar can establish persistence by writing shortcuts to the Windows Startup folder.[1][4]
Enterprise T1059 .001 命令与脚本解释器: PowerShell

Bazar can execute a PowerShell script received from C2.[4][3]
.003 命令与脚本解释器: Windows Command Shell

Bazar can launch cmd.exe to perform reconnaissance commands.[1][7]
Enterprise T1008 回退信道

Bazar has the ability to use an alternative C2 server if the primary server fails.[4]
Enterprise T1482 域信任发现

Bazar can use Nltest tools to obtain information about the domain.[1][4]
Enterprise T1104 多阶段信道

The Bazar loader is used to download and execute the Bazar backdoor.[1][7]
Enterprise T1562 .001 妨碍防御: Disable or Modify Tools

Bazar has manually loaded ntdll from disk in order to identity and remove API hooks set by security products.[4]

Enterprise T1071 .001 应用层协议: Web Protocols

Bazar can use HTTP and HTTPS over ports 80 and 443 in C2 communications.[1][4][8]
Enterprise T1083 文件和目录发现

Bazar can enumerate the victim's desktop.[1][4]
Enterprise T1106 本机API

Bazar can use various APIs to allocate memory and facilitate code execution/injection.[1]
Enterprise T1012 查询注册表

Bazar can query Windows\CurrentVersion\Uninstall for installed applications.[1][4]
Enterprise T1027 .002 混淆文件或信息: Software Packing

Bazar has a variant with a packed payload.[1][7]
.007 混淆文件或信息: Dynamic API Resolution

Bazar can hash then resolve API calls at runtime.[1][4]
.013 混淆文件或信息: Encrypted/Encoded File

Bazar has used XOR, RSA2, and RC4 encrypted files.[1][4][3]
Enterprise T1204 .001 用户执行: Malicious Link

Bazar can gain execution after a user clicks on a malicious link to decoy landing pages hosted on Google Docs.[1][7][3]
Enterprise T1070 .004 移除指标: File Deletion

Bazar can delete its loader using a batch file in the Windows temporary folder.[4]
.009 移除指标: Clear Persistence

Bazar's loader can delete scheduled tasks created by a previous instance of the malware.[4]
Enterprise T1614 .001 系统位置发现: System Language Discovery

Bazar can perform a check to ensure that the operating system's keyboard and language settings are not set to Russian.[4]
Enterprise T1082 系统信息发现

Bazar can fingerprint architecture, computer name, and OS version on the compromised host. Bazar can also check if the Russian language is installed on the infected machine and terminate if it is found.[1][4]
Enterprise T1033 系统所有者/用户发现

Bazar can identify the username of the infected user.[4]
Enterprise T1124 系统时间发现

Bazar can collect the time on the compromised host.[1][4]
Enterprise T1016 系统网络配置发现

Bazar can collect the IP address and NetBIOS name of an infected machine.[1]
Enterprise T1135 网络共享发现

Bazar can enumerate shared drives on the domain.[4]
Enterprise T1102 网络服务

Bazar downloads have been hosted on Google Docs.[1][7]
Enterprise T1497 虚拟化/沙盒规避

Bazar can attempt to overload sandbox analysis by sending 1550 calls to printf.[1]
.003 Time Based Evasion

Bazar can use a timer to delay execution of core functionality.[4]
Enterprise T1087 .001 账号发现: Local Account

Bazar can identify administrator accounts on an infected host.[4]
.002 账号发现: Domain Account

Bazar has the ability to identify domain administrator accounts.[4][6]
Enterprise T1518 软件发现

Bazar can query the Registry for installed applications.[1]
.001 Security Software Discovery

Bazar can identify the installed antivirus engine.[1]
Enterprise T1105 输入工具传输

Bazar can download and deploy additional payloads, including ransomware and post-exploitation frameworks such as Cobalt Strike.[1][7][4][3]
Enterprise T1057 进程发现

Bazar can identity the current process on a compromised host.[1]
Enterprise T1055 进程注入

Bazar can inject code through calling VirtualAllocExNuma.[1]
.012 Process Hollowing

Bazar can inject into a target process including Svchost, Explorer, and cmd using process hollowing.[1][4]
.013 Process Doppelgänging

Bazar can inject into a target process using process doppelgänging.[1][4]
Enterprise T1018 远程系统发现

Bazar can enumerate remote systems using Net View.[1]
Enterprise T1566 .002 钓鱼: Spearphishing Link

Bazar has been spread via emails with embedded malicious links.[1][7][3]
Enterprise T1053 .005 预定任务/作业: Scheduled Task

Bazar can create a scheduled task for persistence.[1][4]
Enterprise T1553 .002 颠覆信任控制: Code Signing

Bazar has been signed with fake certificates including those appearing to be from VB CORPORATE PTY. LTD.[1]

Groups That Use This Software

ID Name References
G1011 EXOTIC LILY

[9]
G0102 Wizard Spider

[3][5]

Campaigns

ID Name Description
C0015 C0015

[8]

References

  1. Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020.
  2. Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.
  3. Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021.
  4. Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020.
  5. Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.
  1. The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020.
  2. Sadique, M. and Singh, A. (2020, September 29). Spear Phishing Campaign Delivers Buer and Bazar Malware. Retrieved November 19, 2020.
  3. DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022.
  4. Stolyarov, V. (2022, March 17). Exposing initial access broker with ties to Conti. Retrieved August 18, 2022.