Rewterz Threat Advisory – Cisco Small Business 100, 300, and 500 Series Wireless Access Points Command Injection Vulnerabilities
May 20, 2021Rewterz Threat Advisory – VMware Workstation Multiple Vulnerabilities
May 21, 2021Rewterz Threat Advisory – Cisco Small Business 100, 300, and 500 Series Wireless Access Points Command Injection Vulnerabilities
May 20, 2021Rewterz Threat Advisory – VMware Workstation Multiple Vulnerabilities
May 21, 2021Severity
High
Analysis Summary
The BazarLoader malware is a small backdoor (a TrickBot adjacent malware) to an infected victim Windows host. BazarLoader currently uses a BazarCall method that infects the victim’s system and provides cybercriminals with backdoors that can be used in the future to send follow-up malware, scan the environment and exploit other vulnerable hosts on the network.
Researchers have reported the latest method used by threat actors to spread the malware; the call-center-based bazarLoader distribution method utilizes emails with a trial subscription-based theme that encourages potential victims to call a phone number. The victim is hoodwinked into thinking that they have subscribed to a service they didn’t sign up for and are directed to call a certain number for help. The call center operator directs the victim into downloading an infected excel sheet that is installed upon unsubscribing from the service.
The following chain of events takes place in the BazarCall Method:
- A trial subscription-themed email is received by the victim that directs them to call a phone number to a call center for assistance.
- The victim calls the phone number to unsubscribe from the service.
- The call center operator guides them to a fake company website.
- Upon clicking the unsubscribe option, a Microsoft Excel file is downloaded from the website.
- The call center operator instructs the victim to enable macros on the downloaded Excel file.
- The BazarLoader Malware is installed on the system.
- The victim is informed by the call center operator that the unsubscription was successful.
- BazarLoader generates command and control (C2) traffic from the infected Windows host.
- Backdoor access through BazarLoader leads to post-infection activities.
Impact
Data Breach
Affected Vendors
Microsoft
Affected Products
Windows
Indicators of Compromise
Destination IP
- 198[.]54[.]117[.]244
- 176[.]111[.]174[.]57
- 176[.]111[.]174[.]58
- 176[.]111[.]174[.]61
- 176[.]111[.]174[.]62
- 198[.]54[.]117[.]244
- 104[.]21[.]74[.]174
- 172[.]67[.]160[.]87
- 176[.]111[.]174[.]57
- 82[.]194[.]74[.]104
MD5
- 14089c2d5a4207dd80f71fb258200848
- 5ad4845793b5dc3308172b39f3c3dbc7
- dc37192b5c4c8c4f94c73c18ce5e3829
SHA-256
- ae1a1fcbc0f32a7c53cee9c5d27583d21309d824e1524f85812e4b6abad8de4e
- 0055ea96cd5145ea54f3e0bd488451c1a814dd1969160cb18137922a884ffa5e
- 09affa7f8e253edd9d4deda4413fba040829ff95b9263dda6f6bf8f269e27c0b
- f617eaecc30a486198c85981d07f22b090c7f3c1cd88565a87865f58ec479857
- 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
- f3b5cf1e40aed4567a8996cf107285907d432b4bc8cc3d0b46aae628813d82d4
- 2632c0cc222a6d436b50a418605a7bd4fa8f363ab8d93d10b831cdb28a2ac1bc
- db53f42e13d2685bd34dbc5c79fad637c9344e72e210ca05504420874e98c2a6
- 975ea7fce484089ec7d54b0abf2eecc16a1d04cd3e610a9e67cc3ae2885f3899
- f28d451125fe14399cf4107e65ff11c49edf899a9d256563d177bce4880e9dd0
- fb94f0c62b1eb990c2c39413cda78b45690e275aceb85af58bb84c887fc4bb67
- c1add84da66b44da51f1ce07c4d1afafa84aa8ad19092bb04f57c0d627a70b0d
- 536d1a135f6f0a9bc337108a2b10ce81515c5bc26b654ec9f8e4b5e53d06c959
- c51bf8c74311b8941dca2f63a0850e61c1058af6af0ac42d81c2d85cd64d37cb
- 2e5275c35b262674705f3c2bd6becc80a067f2660798881d0f5344ac97bd592d
- 5b05cae0880543c3adc28a2d5a45af4931de6d2b4197d2d3c26e4471dd4cf2a8
- fa5df8c17cdbe12483e369e947f545578ee14ae87a3f4af656cf62dc5e7aa81a
SHA1
- 80fa3d47f321108d7c956680ac1b1f5c611d6277
- 4285a93ec1a49f28cb2542af2a2bafc08e4f8a18
- 0aa6bb11a11dade2269d90b2781ed0a517362012
URL
- http[:]//whynt[.]xyz/campo/w/w
- http[:]//veso2[.]xyz/campo/r/r1
- http[:]//about2[.]xyz/campo/a/a1
- http[:]//basket2[.]xyz/campo/u/u1
- http[:]//dance4[.]xyz/campo/d8/d9
- https[:]//www[.]gnu[.]org/software/campo/d8/d9
- http[:]//glass3[.]xyz/campo/gl/gl3
- http[:]//idea5[.]xyz/campo/id/id8
- http[:]//keep2[.]xyz/campo/jl/jl7
- http[:]//whynt[.]xyz/uploads/files/dl8x64[.]exe
- http[:]//admin[.]yougleeindia[.]in/theme/js/plugins/o1e[.]exe
- http[:]//admin[.]yougleeindia[.]in/theme/js/plugins/rt3ret3[.]exe
- http[:]//about2[.]xyz/uploads/files/ret5er[.]exe
- http[:]//www[.]carsidecor[.]com/wp-content/uploads/2021/04/cv76[.]exe
- http[:]//dance4[.]xyz/uploads/files/10r3[.]exe
- http[:]//glass3[.]xyz/uploads/files/hah5[.]exe
- http[:]//idea5[.]xyz/uploads/files/ratan[.]exe
- http[:]//idea5[.]xyz/uploads/files/rets[.]exe
- http[:]//keep2[.]xyz/uploads/files/suka[.]exe
Remediation
- Download the latest patches for all products.
- Keep Windows up-to-date.
- Practice cyber vigilance online and maintain healthy internet habits.
- Keep an eye out for malicious emails and upgrade spam properties in email applications.
- Never download files from malicious websites.
- Run and update anti-virus software regularly.