• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Advisory – CVE-2020-5870 – F5 BIG-IQ Centralized Management
April 28, 2020
Rewterz Threat Alert – Remote Workers Using Skype Targeted via Phishing
April 28, 2020

Rewterz Threat Alert – Bazar Backdoor IoCs

April 28, 2020

Severity

High

Analysis Summary

In a new wave of phishing attacks, a new malware named ‘BazarBackdoor’, or internally by the malware developers as simply “backdoor”, is being installed that deploys a network-compromising toolkit for the threat actors. The malware has similarities to TrickBot trojan and developers of this malware are likely to be the ones behind Trickbot as well. 

The initial attack starts with phishing campaigns that utilize a wide variety of lures such as customer complaints, COVID-19 themed payroll reports and employee termination lists that contain links to documents hosted on Google Docs.

Example BazarLoader phishing email

Threat actors have worked specifically on the landing page to ensure that the victim falls prey to the lure and a lot of styling and detailing has been done to make sure that the landing page looks authentic.

COVID-19 Payroll template

Fake payroll template

Customer complaint template

Fake customer complaint template 

When the link is clicked, an executable will be downloaded instead that uses an icon and name associated with the icon shown on the landing page.

BazarLoader executables

After a victim launches the downloaded file, the loader will sleep for a short period of time and then connect to command and control servers to check-in and download the backdoor payload. After the payload is downloaded, it will be filelessly injected into the C:\Windows\system32\svchost.exe process. 

Injected backdoor into svchost.exe

A scheduled task will also be configured to launch the loader when a user logs into Windows, which will allow new versions of the backdoor to be routinely downloaded and injected into the svchost.exe process.

Scheduled task

Impact

  • Gain access
  • Exposure of sensitive data

Indicators of Compromise

MD5

  • cdddcbc43905f8a1a12de465a8b4c5e5
  • 8f290a2eacfdcfea4f5ca054ae25bc62
  • b533f8b604b2cc99ce938d8303994e43
  • 0e9f7f512a7eae62c091c7f0e2157d85
  • 267b23b206cde7086607e2c4471a97c4
  • 0708c3b1c48d71148cfd750e70511820
  • df3db8d75d6c433c4c063d17f22e9b21
  • 3fe91dbbcf0962895f768da6e40853ee
  • 8b3215a899af33e3f6beb47a08787163
  • 3078b0b4b1dc48d62019d6ccca9cf098
  • e16a92cccc3700196337c9ad43210f38
  • 9066f4c98967e27a1d32f01c47884785
  • 07d1c4952795e804b87c7c9d536dc547
  • c25965d25b5ccdc2f401188f27972c22

SHA-256

  • 11b5adaefd04ffdaceb9539f95647b1f51aec2117d71ece061f15a2621f1ece9
  • 5a888d05804d06190f7fc408bede9da0423678c8f6eca37ecce83791de4df83d
  • 7c93d9175a38c23d44d76d9a883f7f3da1e244c2ab6c3ac9f29a9c9e20d20a5f
  • ca8194e9a1232e508619269bdf9a9c71c4b76e7852d86ed18f02088229b0f7c7
  • 05abd7f33de873e9630f9e4f02dbd0cbc16dd254f305fc8f636dafba02a549b3
  • 4ee0857d475e67945af2c5e04be4dec3d6d3eb7c78700f007a7ff6f8c14d4cb3
  • b10dcec77e00b1f9b1f2e8e327a536987ca84bcb6b0c7327c292f87ed603837d
  • e90ccb9d51a930f69b78aa0d2612c4af2741311088b9eb7731857579feef89c3
  • 6cbf7795618fb5472c5277000d1c1de92b77724d77873b88af3819e431251f00
  • 2f0f0956628d7787c62f892e1bd9edda8b4c478cf8f1e65851052c7ad493dc28
  • 94dcaa51e792d1fa266cae508c2c62a2ca45b94e2fdfbca7ea126b6cd7bc5b21
  • 37d713860d529cbe4eab958419ffd7ebb3dc53bb6909f8bd360adaa84700faf2
  • 210c51aab6fc6c52326ece9dbd3ddab5f58e98432ef70c46936672c79542fbd0
  • 58880777c4b2d9d1ac7cd145c6704a936a54510eaaa7ae61ce8ca8390e355006
  • 0f94b77892f22d0a0e7095b985f30b5edbe17ab5b8d41f798ef0c708709636f4
  • 3ee36a9401a4df622be5dc12ac9b9bcf1d607c8d394b12e863ec17776c2e0fe7
  • c55f8979995df82555d66f6b197b0fbcb8fe30b431ff9760deae6927a584b9e3
  • 35b3fe2331a4a7d83d203e75ece5189b7d6d06af4abac8906348c0720b6278a4

SHA1

  • 3884ccf43010733ead38ddea11f249b33f2f1609
  • 66f66cd650c9a08d2433c92d0fb78b22cfc279be
  • c47ba9a3bd09ac601e8766acf7add73710743984
  • 76e1b95f5fb6251bb79de78ae5169044885e07e3
  • 15d070be7838e73a3862d267cb9aff0f0b77b715
  • 9c14c7958a58ad5916c91a5ea42bc453db73b947
  • b19620bfa0a6311cdeac1a63aaf477d5b3df7730
  • 81982119280c2a435f13b09a2995d06f422ca013
  • 0dd83eb2235f1775b981ed992f121367f723b23c
  • fb5a481431a0bfc6785cb101e2eefec1840d1d16
  • 53ee27c7893574d496a0b512363e690ac9f6d7ba
  • 6b14b1634706ddd60af62dd276645727c7762094
  • 68d8e4654662c4e83c4c101e70eb132a1d879e0e
  • 078f815f9b4e3dc108dedc3a00eaa666058f035e

URL

  • https[:]//allacestech[.]com/PreviewReport[.]DOC[.]exe
  • https[:]//www[.]ruths-brownies[.]com/PreviewReport[.]DOC[.]exe
  • http[:]//www[.]afboxmarket[.]com/CompanyReportList[.]exe
  • http[:]//invent-uae[.]com/Document_Preview[.]exe
  • https[:]//51[.]81[.]113[.]26/api/v88
  • https[:]//daralsaqi[.]com/PreviewReport[.]DOC[.]exe

Remediation

  • Block all threat indicators at your respective controls.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on the links/attachments sent by unknown senders.
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.