Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
May 25, 2023
Severity High Analysis Summary The STOP/DJVU ransomware initially made headlines in 2018 and has since been attacking individuals all around the world. It’s widespread on torrent […]May 24, 2023Severity Medium Analysis Summary CVE-2023-30440 IBM PowerVM Hypervisor could allow a local attacker with control a partition that has been assigned SRIOV virtual function (VF) to […]May 24, 2023Severity High Analysis Summary CVE-2023-33246 Apache RocketMQ could allow a remote attacker to execute arbitrary commands on the system, caused by a flaw when using the […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
May 25, 2023Severity High Analysis Summary The STOP/DJVU ransomware initially made headlines in 2018 and has since been attacking individuals all around the world. It’s widespread on torrent […]May 24, 2023Severity Medium Analysis Summary CVE-2023-30440 IBM PowerVM Hypervisor could allow a local attacker with control a partition that has been assigned SRIOV virtual function (VF) to […]May 24, 2023Severity High Analysis Summary CVE-2023-33246 Apache RocketMQ could allow a remote attacker to execute arbitrary commands on the system, caused by a flaw when using the […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Rewterz Threat Advisory – Cisco Small Business 100, 300, and 500 Series Wireless Access Points Command Injection Vulnerabilities
May 20, 2021Rewterz Threat Advisory – VMware Workstation Multiple Vulnerabilities
May 21, 2021
Severity
High
Analysis Summary
The BazarLoader malware is a small backdoor (a TrickBot adjacent malware) to an infected victim Windows host. BazarLoader currently uses a BazarCall method that infects the victim’s system and provides cybercriminals with backdoors that can be used in the future to send follow-up malware, scan the environment and exploit other vulnerable hosts on the network.
Researchers have reported the latest method used by threat actors to spread the malware; the call-center-based bazarLoader distribution method utilizes emails with a trial subscription-based theme that encourages potential victims to call a phone number. The victim is hoodwinked into thinking that they have subscribed to a service they didn’t sign up for and are directed to call a certain number for help. The call center operator directs the victim into downloading an infected excel sheet that is installed upon unsubscribing from the service.
The following chain of events takes place in the BazarCall Method:
- A trial subscription-themed email is received by the victim that directs them to call a phone number to a call center for assistance.
- The victim calls the phone number to unsubscribe from the service.
- The call center operator guides them to a fake company website.
- Upon clicking the unsubscribe option, a Microsoft Excel file is downloaded from the website.
- The call center operator instructs the victim to enable macros on the downloaded Excel file.
- The BazarLoader Malware is installed on the system.
- The victim is informed by the call center operator that the unsubscription was successful.
- BazarLoader generates command and control (C2) traffic from the infected Windows host.
- Backdoor access through BazarLoader leads to post-infection activities.
Impact
Data Breach
Affected Vendors
Microsoft
Affected Products
Windows
Indicators of Compromise
Destination IP
- 198[.]54[.]117[.]244
- 176[.]111[.]174[.]57
- 176[.]111[.]174[.]58
- 176[.]111[.]174[.]61
- 176[.]111[.]174[.]62
- 198[.]54[.]117[.]244
- 104[.]21[.]74[.]174
- 172[.]67[.]160[.]87
- 176[.]111[.]174[.]57
- 82[.]194[.]74[.]104
MD5
- 14089c2d5a4207dd80f71fb258200848
- 5ad4845793b5dc3308172b39f3c3dbc7
- dc37192b5c4c8c4f94c73c18ce5e3829
SHA-256
- ae1a1fcbc0f32a7c53cee9c5d27583d21309d824e1524f85812e4b6abad8de4e
- 0055ea96cd5145ea54f3e0bd488451c1a814dd1969160cb18137922a884ffa5e
- 09affa7f8e253edd9d4deda4413fba040829ff95b9263dda6f6bf8f269e27c0b
- f617eaecc30a486198c85981d07f22b090c7f3c1cd88565a87865f58ec479857
- 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
- f3b5cf1e40aed4567a8996cf107285907d432b4bc8cc3d0b46aae628813d82d4
- 2632c0cc222a6d436b50a418605a7bd4fa8f363ab8d93d10b831cdb28a2ac1bc
- db53f42e13d2685bd34dbc5c79fad637c9344e72e210ca05504420874e98c2a6
- 975ea7fce484089ec7d54b0abf2eecc16a1d04cd3e610a9e67cc3ae2885f3899
- f28d451125fe14399cf4107e65ff11c49edf899a9d256563d177bce4880e9dd0
- fb94f0c62b1eb990c2c39413cda78b45690e275aceb85af58bb84c887fc4bb67
- c1add84da66b44da51f1ce07c4d1afafa84aa8ad19092bb04f57c0d627a70b0d
- 536d1a135f6f0a9bc337108a2b10ce81515c5bc26b654ec9f8e4b5e53d06c959
- c51bf8c74311b8941dca2f63a0850e61c1058af6af0ac42d81c2d85cd64d37cb
- 2e5275c35b262674705f3c2bd6becc80a067f2660798881d0f5344ac97bd592d
- 5b05cae0880543c3adc28a2d5a45af4931de6d2b4197d2d3c26e4471dd4cf2a8
- fa5df8c17cdbe12483e369e947f545578ee14ae87a3f4af656cf62dc5e7aa81a
SHA1
- 80fa3d47f321108d7c956680ac1b1f5c611d6277
- 4285a93ec1a49f28cb2542af2a2bafc08e4f8a18
- 0aa6bb11a11dade2269d90b2781ed0a517362012
URL
- http[:]//whynt[.]xyz/campo/w/w
- http[:]//veso2[.]xyz/campo/r/r1
- http[:]//about2[.]xyz/campo/a/a1
- http[:]//basket2[.]xyz/campo/u/u1
- http[:]//dance4[.]xyz/campo/d8/d9
- https[:]//www[.]gnu[.]org/software/campo/d8/d9
- http[:]//glass3[.]xyz/campo/gl/gl3
- http[:]//idea5[.]xyz/campo/id/id8
- http[:]//keep2[.]xyz/campo/jl/jl7
- http[:]//whynt[.]xyz/uploads/files/dl8x64[.]exe
- http[:]//admin[.]yougleeindia[.]in/theme/js/plugins/o1e[.]exe
- http[:]//admin[.]yougleeindia[.]in/theme/js/plugins/rt3ret3[.]exe
- http[:]//about2[.]xyz/uploads/files/ret5er[.]exe
- http[:]//www[.]carsidecor[.]com/wp-content/uploads/2021/04/cv76[.]exe
- http[:]//dance4[.]xyz/uploads/files/10r3[.]exe
- http[:]//glass3[.]xyz/uploads/files/hah5[.]exe
- http[:]//idea5[.]xyz/uploads/files/ratan[.]exe
- http[:]//idea5[.]xyz/uploads/files/rets[.]exe
- http[:]//keep2[.]xyz/uploads/files/suka[.]exe
Remediation
- Download the latest patches for all products.
- Keep Windows up-to-date.
- Practice cyber vigilance online and maintain healthy internet habits.
- Keep an eye out for malicious emails and upgrade spam properties in email applications.
- Never download files from malicious websites.
- Run and update anti-virus software regularly.