Rewterz Threat Alert – New Versions of the Bazar Loader and Backdoor

July 21, 2020

Severity

Medium

Analysis Summary

New versions of Bazar loader and backdoor are circulating. A number of versions, including development versions, were analyzed for the report. The first version of Bazar appeared in April 2020 with further versions appearing in June. Prior investigations and commonalities in the malware led researchers to conclude that the Bazar malware is from the same actors behind the well known Trickbot banking Trojan. The Bazar code is obfuscated and designed to evade detection while retaining persistence. Bazar makes use of EmerDNS blockchain domains, uses the Twilio SendGrid email platform, has a different network callback system than prior malware related to Trickbot, and leverages signed loader files. While Bazar is being actively developed, versions of it have been used in attacks against a small number of high value targets.

Impact

Credential theft
Information disclosure

Indicators of Compromise

SHA-256

1e123a6c5d65084ca6ea78a26ec4bebcfc4800642fec480d1ceeafb1cacaaa83
56eb71f706043c7504e756379b1869adc4c07b93327c0bd4ff83d9bdca108804
a76426e269a2defabcf7aef9486ff521c6110b64952267cfe3b77039d1414a41
c55f8979995df82555d66f6b197b0fbcb8fe30b431ff9760deae6927a584b9e3
835edf1ec33ff1436d354aa52e2e180e3e8f7500e9d261d1ff26aa6daddffc55
55d95d9486d77df6ac79bb25eb8b8778940bac27021249f779198e05a2e1edae
4e4f9a467dd041e6a76e2ea5d57b28fe5a3267b251055bf2172d9ce38bea6b1f
859fa9acf0b8a989a1634a1eee309355438b9f6b6f73b69f12d53ac534618c6a
5a888d05804d06190f7fc408bede9da0423678c8f6eca37ecce83791de4df83d
7f757770f2049c23624a483feb6e9331693ded0dafb9c636f96fe6b9307a704c
b2583eb8e1d4241644ed9c366bf5ef58ab1a4fa26788358c6b14fdb48d0261b5
467c33cb979804dad154612a808f2ea234f7501f8d36bf610ed457cc48993c49
f6cddc2f46ec3e8dc95b6fe42c6f30745bf0e7d3e9788c35a96199c82fc04f66
b2478fd8e1cbaed66ad8f46e7edbc0f61b4eb94e5c10e1df23efed86a1ea4490
8a0ae971d0f4dc4c1027ff117fea0761d042baa6b8a6f6451410b580597f7021
2e99ed535a9f73bafab151ec409de04c953a0187cb8e4063317617befa09068d
911ad05e24337f4e9c648b81ff5d94d54b30cb94b69601253085a5138913adfe
d04bdbff24b1bed41536664bb9696387fc6e88756efa76ecf345937e7cfa014d
04ad133967d2076e4ce4cbd04c058ba7e8e3725fb72102e2b1b5de433f44de33
3fe61d87c9454554b0ce9101f95e18abad8ac6c62dcc88dc651ddfb20568e060
b10dcec77e00b1f9b1f2e8e327a536987ca84bcb6b0c7327c292f87ed603837d
363b6e0bc8873a6a522fe9485c7d8b4cbcffa1da61787930341f94557487c5a8
8f552e9ca2bedd90ce9935a665758d5de2e86b6fda32d98918534a8a5881f91a
a0d0cfa8bf0bc5b8f769d8b64eab22d308b108dd8a4d59872946d69c3f8c58a5
ae7daa7ce3188ccfe4069ba14c486631eea9505b7a107a17ddee29061b0ede99
f3c6d7309f00cc7009bea4be6128f0af2ea6b87ab7a687d14092f85ccd35c1f5
35b3fe2331a4a7d83d203e75ece5189b7d6d06af4abac8906348c0720b6278a4
5974d938bc3bbfc69f68c979a6dc9c412970fc527500735385c33377ab30373a
c7d02d16e35449bfbd571667d2c571657aa526d58891242884e1f2b81ef932e8

Remediation

Block all threat indicators at your respective controls.
Search for IOCs in your environment.

Platform

Managed Security Services

Managed Penetration Testing

Assess

Transform

Train

Respond

Resources

Rewterz Threat Alert – An Emerging Ducktail Infostealer – Active IOCs

Rewterz Threat Alert – Russian Threat Actors Target European NGO Systems with TinyTurla-NG Backdoor – Active IOCs

Rewterz Threat Advisory – CVE-2024-26246 – Microsoft Edge Vulnerability

Threat Insights

About Us

Our Leadership

CSR

Connect with Us