NetWitness Community

What is BazarLoader?

 

Bazar malware infections are specifically targeting professional services, healthcare, manufacturing, IT, logistics, and travel companies across the US and Europe. BazarLoader (aka BazarBackdoor) is a Windows-based malware spread through various methods involving email. It consists of a loader and a backdoor component where the loader is responsible for installing and executing the backdoor element.

 

 

How do attackers infiltrate?

 

These criminals use the backdoor access to determine whether the host is part of an Active Directory (AD) environment. If so, criminals deploy Cobalt Strike and perform reconnaissance to map the network. If the results indicate a high-value target, criminals attempt lateral movement and will often deploy ransomware like Conti or Ryuk.

The backdoor is a fileless malware reportedly created by the same threat actors behind TrickBot. The conclusion is drawn due to similarities in code, crypters, and infrastructure between the two malware variants. APT groups such as Wizard Spider have been found using BazarLoader to gain initial access into the target.

 

 

MITRE ATT&CK Matrix

You can see below the MITRE ATT&CK tactics and techniques associated with BazarLoader, or view the full navigator map here.

 

Execution -

             Execution Through API

 

Persistence -

              Startup Items

              Registry Run Keys / Startup Folder

 

Privilege Escalation -

              Startup Items

              Process Injection

 

Defense Evasion -

              Deobfuscate / Decode Files or Information

              Masquerading

              Modify Registry

              Obfuscated Files or Information

              Process Doppelgȁnging

              Process Hollowing

              Process Injection

 

Discovery -

              Account Discovery

              Application Window Discovery

              File and Directory Discovery

              Process Discovery

              Query Registry

              Remote System Discovery

              Security Software Discovery

              System Information Discovery

              System Time Discovery

              System Owner / User Discovery

 

Exfiltration -

              Data Encrypted

 

Command and Control -

             Commonly Used Port

             Remote File Copy

             Standard Application Layer Protocol

             Standard Cryptographic Protocol

             Standard Non-Application Layer Protocol

 

 

              

Delivery

The BazarLoader malware is usually spread through phishing emails that include malicious documents or malicious links that download and install the malware. The campaign employs a diverse set of delivery mechanisms including macro enabled documents, ISO files, compressed archive files (ZIP/RAR) and compromised installers.

 

 

Execution

The infection process varies in each sample. Clicking on the malicious link downloads an executable that masquerades through icons and names associated with the mentioned file types. This disguised executable serves as the loader for the backdoor. After launching the file, the loader sleeps for some time, and then connects to command and control (C&C) servers to check-in and download the payload. The payload will then be injected filelessly into a foreign process through process hollowing and process doppelgänging techniques. The backdoor will be installed on the computer. This sets a scheduled task that launches the loader every time the user logs into Windows, which makes way for new versions of the backdoor to be downloaded and injected into svchost.exe.

 

In another case, enabling the macros of a document retrieves a malicious binary/DLL for BazarLoader and runs it using rundll32.exe on a vulnerable Windows host.

 

The following app rule was created to detect this specific behavior of BazarLoader when it makes suspicious calls of DLLs in rundll32.dll exports by ordinal.

BOC: [Community] Suspicious Call by Ordinal

 

The following apprule will detect if rundll32 is used to execute an arbitrary code or .dll file.

BOC: Execute DLL Through Rundll32

 

In later stages, it can download Cobalt strike to perform reconnaissance of the infected host’s environment and eventually deploy ransomware like Conti or Ryuk.

 

 

Persistence

The BazarLoader DLL copies itself to another location Appdata\local\Temp and is made persistent through the following Windows registry keys.

 Software\Microsoft\Windows\CurrentVersion\Run

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

 

The following app rule detects any modification to the Winlogon registry keys.

BOC = modifies winlogon registry settings

 

The BazarLoader will create another autorun entry by writing a shortcut in the Windows Start menu Startup folder. The following app rule detects any new entry to the startup directory.

BOC = creates executable in startup directory

 

 

C2 Traffic

BazarLoader communicates to its C2 servers via HTTPS/HTTP to download the backdoor and additional payloads. Each sample differs in the IP/domain of the C2 it communicates to. Some samples were found to use EmerDNS blockchain domains (.bazar) for command and control. The malware generates traffic to legitimate domains. This activity is not inherently malicious on its own.

 

 

Defense Evasion

This stealthy loader evades detection by abusing the trust of certificate authorities, much like previous Trickbot loaders and is heavily obfuscated. It also uses anti-analysis techniques to thwart automated and manual analysis and loads the encrypted backdoor solely in memory.

 

There were cases where a link was sent by email to download an ISO archive attachment which contains a .lnk file and a .log file. The idea here is to evade AV detection by packing the payloads in the archive and having the user manually extract them after download.

The .lnk file contains a command instruction that opens a terminal window using existing Windows binaries and loads the .log file, which is a BazarLoader DLL.

 

 

Data collection and discovery

The BaazarLoader collects data from the infected machine, such as its public IP address, computer name, installed applications, and the Windows version. It performs WMIC queries to retrieve information about the antivirus engine installed on the machine, as well as run net and nltest tools to obtain information about the network and domain. Cobalt Strike is used to run additional discovery tasks and then use pass-the-hash with various accounts.

 

 

 

Conclusion and Solution

BazarLoader is an example of an initial malware infection moving to Cobalt Strike, followed by reconnaissance activity.

 

Post-infection, the malware gives threat actors a variety of command and code execution options, along with built-in file upload and self-deletion capabilities. This variety allows attackers to be dynamic while exfiltrating data, installing another payload on the targeted machine, or spreading ransomware further on the network.

 

Although BazarLoader is in constant development and varies with each variant, understanding a malware family, its usual delivery methods, and the techniques used can be very beneficial for a SOC analyst, incident responder or threat hunter. NetWitness can help your organization with threat detection to the presence of BazarLoader within your environment—so you can respond before this omnipotent malware causes major loss in the form of data, intellectual property, exfiltration, and/or financials.

 

 

References:

A Bazar of Tricks: Following Team9’s Development Cycles (cybereason.com)

Case Study: From BazarLoader to Network Reconnaissance (paloaltonetworks.com)

BazarLoader to Conti Ransomware in 32 Hours (thedfirreport.com)

Corporate website contact forms used to spread BazarBackdoor malware (bleepingcomputer.com)

https://attack.mitre.org/software/S0534/