BAZAR

BAZAR is a loader and backdoor. The loader gives the attacker its initial foothold in the environment, while the backdoor establishes persistence. Together they give the attacker a chance to drop another payload such as ransomware and exploits that can be use in exfiltration of data and executing backdoor commands on the infected machine.

BAZAR is highly associated to previous TRICKBOT campaigns because of its similarities in infection chain, which includes reuse of associated domains, use of revoked certificates to sign malware, and both have almost identical decryption routines.

It was first seen in April 2020 distributed through phishing emails having the subjects related to COVID-19 or coronavirus pandemic, customer complaint, and employee termination. The message has links to Google Docs-hosted files. Once the user clicks the link, they are redirected to a landing page that shows that the document cannot be viewed properly. It then instructs the user to click on the link to open the file. By doing this, an executable that mimics the icons and names associated to the file types mentioned is downloaded. With this, the user is tricked in opening the file without knowing it is malicious.

BAZAR is known to do the following:

• Deploys other malware such as RYUK

• Can bypass process and/or signature-based defenses because it is digitally signed

• BazarLoader modifies registries to ensure automatic execution at every startup

• BazarLoader checks for the system's computer layout and terminates itself if it is Russian, suggesting that RYUK operators avoid targeting Russian-speaking countries.

• BazarLoader connects to its C&C then download and execute BazarBackdoor

• BazarBackdoor can perform:
  • Manage Files/Folders (notably to change its date/time)

  • Manage Processes (notably to inject code, adjust permission)

  • Manage Services

  • Connect to a Named Pipe

  • Impersonate Tokens

A typical BAZAR infection chain follows: