Rewterz Threat Alert – New Versions of the Bazar Loader and Backdoor

Severity

Medium

Analysis Summary

New versions of Bazar loader and backdoor are circulating. A number of versions, including development versions, were analyzed for the report. The first version of Bazar appeared in April 2020 with further versions appearing in June. Prior investigations and commonalities in the malware led researchers to conclude that the Bazar malware is from the same actors behind the well known Trickbot banking Trojan. The Bazar code is obfuscated and designed to evade detection while retaining persistence. Bazar makes use of EmerDNS blockchain domains, uses the Twilio SendGrid email platform, has a different network callback system than prior malware related to Trickbot, and leverages signed loader files. While Bazar is being actively developed, versions of it have been used in attacks against a small number of high value targets.

Impact

• Credential theft
• Information disclosure

Indicators of Compromise

SHA-256

• 1e123a6c5d65084ca6ea78a26ec4bebcfc4800642fec480d1ceeafb1cacaaa83
• 56eb71f706043c7504e756379b1869adc4c07b93327c0bd4ff83d9bdca108804
• a76426e269a2defabcf7aef9486ff521c6110b64952267cfe3b77039d1414a41
• c55f8979995df82555d66f6b197b0fbcb8fe30b431ff9760deae6927a584b9e3
• 835edf1ec33ff1436d354aa52e2e180e3e8f7500e9d261d1ff26aa6daddffc55
• 55d95d9486d77df6ac79bb25eb8b8778940bac27021249f779198e05a2e1edae
• 4e4f9a467dd041e6a76e2ea5d57b28fe5a3267b251055bf2172d9ce38bea6b1f
• 859fa9acf0b8a989a1634a1eee309355438b9f6b6f73b69f12d53ac534618c6a
• 5a888d05804d06190f7fc408bede9da0423678c8f6eca37ecce83791de4df83d
• 7f757770f2049c23624a483feb6e9331693ded0dafb9c636f96fe6b9307a704c
• b2583eb8e1d4241644ed9c366bf5ef58ab1a4fa26788358c6b14fdb48d0261b5
• 467c33cb979804dad154612a808f2ea234f7501f8d36bf610ed457cc48993c49
• f6cddc2f46ec3e8dc95b6fe42c6f30745bf0e7d3e9788c35a96199c82fc04f66
• b2478fd8e1cbaed66ad8f46e7edbc0f61b4eb94e5c10e1df23efed86a1ea4490
• 8a0ae971d0f4dc4c1027ff117fea0761d042baa6b8a6f6451410b580597f7021
• 2e99ed535a9f73bafab151ec409de04c953a0187cb8e4063317617befa09068d
• 911ad05e24337f4e9c648b81ff5d94d54b30cb94b69601253085a5138913adfe
• d04bdbff24b1bed41536664bb9696387fc6e88756efa76ecf345937e7cfa014d
• 04ad133967d2076e4ce4cbd04c058ba7e8e3725fb72102e2b1b5de433f44de33
• 3fe61d87c9454554b0ce9101f95e18abad8ac6c62dcc88dc651ddfb20568e060
• b10dcec77e00b1f9b1f2e8e327a536987ca84bcb6b0c7327c292f87ed603837d
• 363b6e0bc8873a6a522fe9485c7d8b4cbcffa1da61787930341f94557487c5a8
• 8f552e9ca2bedd90ce9935a665758d5de2e86b6fda32d98918534a8a5881f91a
• a0d0cfa8bf0bc5b8f769d8b64eab22d308b108dd8a4d59872946d69c3f8c58a5
• ae7daa7ce3188ccfe4069ba14c486631eea9505b7a107a17ddee29061b0ede99
• f3c6d7309f00cc7009bea4be6128f0af2ea6b87ab7a687d14092f85ccd35c1f5
• 35b3fe2331a4a7d83d203e75ece5189b7d6d06af4abac8906348c0720b6278a4
• 5974d938bc3bbfc69f68c979a6dc9c412970fc527500735385c33377ab30373a
• c7d02d16e35449bfbd571667d2c571657aa526d58891242884e1f2b81ef932e8

Remediation

• Block all threat indicators at your respective controls.
• Search for IOCs in your environment.