Rewterz Threat Alert – BazarLoader Malware – Active IOCs

Severity

Medium

Analysis Summary

The BazarLoader malware is a small backdoor (a TrickBot adjacent malware) to an infected victim Windows host. BazarLoader currently uses a BazarCall method that infects the victim’s system and provides cybercriminals with backdoors that can be used in the future to send follow-up malware, scan the environment and exploit other vulnerable hosts on the network.

Researchers have reported the latest method used by threat actors to spread the malware; the call-center-based bazarLoader distribution method utilizes emails with a trial subscription-based theme that encourages potential victims to call a phone number. The victim is hoodwinked into thinking that they have subscribed to a service they didn’t sign up for and are directed to call a certain number for help. The call center operator directs the victim into downloading an infected excel sheet that is installed upon unsubscribing from the service.

Impact

• Data Exfiltration

Indicators of Compromise

IP

• 167[.]172[.]37[.]20
• 207[.]154[.]236[.]187
• 64[.]225[.]71[.]198
• 167[.]172[.]37[.]33
• 167[.]172[.]37[.]20
• 104[.]248[.]164[.]94
• 104[.]248[.]170[.]50
• 207[.]154[.]236[.]187
• 139[.]28[.]235[.]249
• 172[.]83[.]155[.]231
• 94[.]140[.]112[.]22
• 207[.]154[.]244[.]115
• 194[.]15[.]113[.]148
• 139[.]28[.]235[.]249
• 207[.]154[.]236[.]187
• 94[.]140[.]112[.]22
• 139[.]28[.]235[.]249

MD5

• 261541358c04b63dd39f0a65528775bb
• 47933f87a08b2dc9c415433ac4ab4f04
• 458228b460f972d7935723acad55f9ba
• d05a2463b37e487fd04b44a547cef5a6
• cf06c224eef30aed8b44e419928e2d6c
• 730ca73a23dd70b2edf3712e4d03db1c
• db8f42a798dd65d9bd8398c3e2564f06
• 04861b49fb21fea57ab9bba57b5e5ac6
• 7f3bcbb3e8080ac75f7bba326a23c54f
• 4932b7fa81a500c5050ccf3a945077e3
• c07251738742f5a6f63bf9302afef471
• 7f3bcbb3e8080ac75f7bba326a23c54f
• 4932b7fa81a500c5050ccf3a945077e3
• c07251738742f5a6f63bf9302afef471
• 96f60230308da02083c037b42a625e63
• c087889bd712b71c824560d1cf526be6
• 72cbfbfb9fb6e673051e938fb31ca987
• 4ea59f580d5a3398b7aca61e53e710bc

SHA-256

• 6d5ebe8069122e1b470169e0b1545f3c6196259ed2e94e5a242be3209f92cdea
• 807c8c2c02fd1c0f567bbbe14e24484ff0871d83130464c8376e8382e563d1cb
• 50561167909de0e777c5d81ef72d0981b996fe46df881ab34b9b106aabbe7560
• 247a013ddfa6a8b23294e5f58d57e230b562939421e51b5560c77ea805e2cbf7
• 4ee75b010820c4577ba02757b575e63736470bc014aa79ee53311b42dd51e464
• bf58ef24dd79c02522163be7d8e523cecb2be8daf30e98fd6673d583cbc9e74b
• 59b77f3b8d2e7d72c61d522a2bcabbe0b47be3b73e1a4001cb763589a656134c
• 6d0801c0ad5c7c7b194502d932a7cde2ab51d13d40f62c77f9e4e00524f641d1
• 3bc6fc23cef261ac74aa5b98d0c3ec9a4fb1ef3f6b850334d4df698a5fe1ec04
• 5622189598fae2814a0f6a73a1d746c99777e1ec90e9b5bda156f15a6bfc2832
• cd8c23863bd9a51ae9c135182a9a6af14408b4ad8f0bac3d58c4ed473c8589c2
• 3bc6fc23cef261ac74aa5b98d0c3ec9a4fb1ef3f6b850334d4df698a5fe1ec04
• 5622189598fae2814a0f6a73a1d746c99777e1ec90e9b5bda156f15a6bfc2832
• cd8c23863bd9a51ae9c135182a9a6af14408b4ad8f0bac3d58c4ed473c8589c2
• 960a111f4ea6624b2e145d8145f80348a9a2c5812efd68539a67a8586b3baca6
• 0f7904774e867127614e885913f986c278233ab2d8a7cd56f1ee171198a4b6a4
• 7285b66243283537da1f1883bfd1e9781815e2789e2cfe876052b56dc74cf6cd
• ff4aba383a3683fc702707c1cd2bfe9387a0ffe6c4ce68d085532bcd02ed6a2d

SHA-1

• c09a707522794b92966c380e1e62a03724f8b36d
• d6ff3d8b0a0729c651c8318d3fa470d90cc0c8ab
• 4ab23bbfa840acba573f2e585bbed01257e2aae3
• 3613f783cdf52c08dfb46f20c3f2a07521d9d5e0
• 88a34ba4122a17c43f596313faa38a67142fc259
• 48d8ff863d43bde2614ae387841135d1b33e66da
• 7df618ca8e5e21faf19ece8c2470f62af8e4ea15
• cb429369607174d464edf5447e7edbc0a8157e9b
• e2cf8adac9d9860db7fff35dc0d9c94807b0f2dd
• 13d7cf3a826274183d761bc4bcd16e68c069e14b
• ab0f41cd9bbf8930c7f37e0735e651aadaeafe0c
• e2cf8adac9d9860db7fff35dc0d9c94807b0f2dd
• 13d7cf3a826274183d761bc4bcd16e68c069e14b
• ab0f41cd9bbf8930c7f37e0735e651aadaeafe0c
• f932dbe08924909fbc81f835e4fe85d27d33abb7
• 9d00dc27f6b2932ec225cebd709120fa6414ef5f
• a9a68add226e1565eb73cd4309a5e32728af56df
• 384373fbe321322afb7682350cedf8089d38c756

URL

• http[:]//167[.]172[.]37[.]20/part/issue/invoke
• http[:]//207[.]154[.]236[.]187/out/rolling/issue/invoke
• http[:]//64[.]225[.]71[.]198/main/issue/invoke
• http[:]//167[.]172[.]37[.]33/main/issue/invoke
• http[:]//167[.]172[.]37[.]20/main/issue/invoke
• http[:]//104[.]248[.]164[.]94/minor/issue/invoke
• http[:]//207[.]154[.]236[.]187/out/major/issue/invoke
• http[:]//104[.]248[.]175[.]208/minor/issue/invoke
• http[:]//207[.]154[.]229[.]94/out/major/issue/invoke
• http[:]//94[.]140[.]112[.]22/out/major/issue/invoke
• http[:]//139[.]28[.]235[.]249/out/major/issue/invoke
• http[:]//172[.]83[.]155[.]231/out/major/issue/invoke
• http[:]//94[.]140[.]112[.]22/out/stable/issue/invoke
• http[:]//207[.]154[.]244[.]115/out/major/issue/invoke
• http[:]//194[.]15[.]113[.]148/out/major/issue/invoke
• http[:]//139[.]28[.]235[.]249/out/stable/issue/invoke
• http[:]//207[.]154[.]236[.]187/out/stable/issue/invoke
• http[:]//207[.]154[.]244[.]115/out/stable/issue/invoke
• http[:]//94[.]140[.]112[.]22/out/minor/issue/invoke
• http[:]//207[.]154[.]244[.]115/out/minor/issue/invoke
• http[:]//207[.]154[.]236[.]187/out/minor/issue/invoke
• http[:]//94[.]140[.]112[.]9/out/stable/issue/invoke
• http[:]//54[.]212[.]208[.]226/api/get/output/text
• http[:]//167[.]99[.]240[.]197/web/main/job/run
• http[:]//194[.]15[.]113[.]148/web/main/job/run

Remediation

• Block all threat indicators at your respecitive controls.
• Keep Windows up-to-date.
• Keep an eye out for malicious emails and upgrade spam properties in email applications.
• Never download files from malicious websites.