

Rewterz Threat Alert – Additional TrickBot IOCs
July 21, 2020
Rewterz Threat Alert – From LokiBot to Xerxes to BlackRock banking Trojan
July 21, 2020
Rewterz Threat Alert – Additional TrickBot IOCs
July 21, 2020
Rewterz Threat Alert – From LokiBot to Xerxes to BlackRock banking Trojan
July 21, 2020Severity
Medium
Analysis Summary
New versions of Bazar loader and backdoor are circulating. A number of versions, including development versions, were analyzed for the report. The first version of Bazar appeared in April 2020 with further versions appearing in June. Prior investigations and commonalities in the malware led researchers to conclude that the Bazar malware is from the same actors behind the well known Trickbot banking Trojan. The Bazar code is obfuscated and designed to evade detection while retaining persistence. Bazar makes use of EmerDNS blockchain domains, uses the Twilio SendGrid email platform, has a different network callback system than prior malware related to Trickbot, and leverages signed loader files. While Bazar is being actively developed, versions of it have been used in attacks against a small number of high value targets.
Impact
- Credential theft
- Information disclosure
Indicators of Compromise
SHA-256
- 1e123a6c5d65084ca6ea78a26ec4bebcfc4800642fec480d1ceeafb1cacaaa83
- 56eb71f706043c7504e756379b1869adc4c07b93327c0bd4ff83d9bdca108804
- a76426e269a2defabcf7aef9486ff521c6110b64952267cfe3b77039d1414a41
- c55f8979995df82555d66f6b197b0fbcb8fe30b431ff9760deae6927a584b9e3
- 835edf1ec33ff1436d354aa52e2e180e3e8f7500e9d261d1ff26aa6daddffc55
- 55d95d9486d77df6ac79bb25eb8b8778940bac27021249f779198e05a2e1edae
- 4e4f9a467dd041e6a76e2ea5d57b28fe5a3267b251055bf2172d9ce38bea6b1f
- 859fa9acf0b8a989a1634a1eee309355438b9f6b6f73b69f12d53ac534618c6a
- 5a888d05804d06190f7fc408bede9da0423678c8f6eca37ecce83791de4df83d
- 7f757770f2049c23624a483feb6e9331693ded0dafb9c636f96fe6b9307a704c
- b2583eb8e1d4241644ed9c366bf5ef58ab1a4fa26788358c6b14fdb48d0261b5
- 467c33cb979804dad154612a808f2ea234f7501f8d36bf610ed457cc48993c49
- f6cddc2f46ec3e8dc95b6fe42c6f30745bf0e7d3e9788c35a96199c82fc04f66
- b2478fd8e1cbaed66ad8f46e7edbc0f61b4eb94e5c10e1df23efed86a1ea4490
- 8a0ae971d0f4dc4c1027ff117fea0761d042baa6b8a6f6451410b580597f7021
- 2e99ed535a9f73bafab151ec409de04c953a0187cb8e4063317617befa09068d
- 911ad05e24337f4e9c648b81ff5d94d54b30cb94b69601253085a5138913adfe
- d04bdbff24b1bed41536664bb9696387fc6e88756efa76ecf345937e7cfa014d
- 04ad133967d2076e4ce4cbd04c058ba7e8e3725fb72102e2b1b5de433f44de33
- 3fe61d87c9454554b0ce9101f95e18abad8ac6c62dcc88dc651ddfb20568e060
- b10dcec77e00b1f9b1f2e8e327a536987ca84bcb6b0c7327c292f87ed603837d
- 363b6e0bc8873a6a522fe9485c7d8b4cbcffa1da61787930341f94557487c5a8
- 8f552e9ca2bedd90ce9935a665758d5de2e86b6fda32d98918534a8a5881f91a
- a0d0cfa8bf0bc5b8f769d8b64eab22d308b108dd8a4d59872946d69c3f8c58a5
- ae7daa7ce3188ccfe4069ba14c486631eea9505b7a107a17ddee29061b0ede99
- f3c6d7309f00cc7009bea4be6128f0af2ea6b87ab7a687d14092f85ccd35c1f5
- 35b3fe2331a4a7d83d203e75ece5189b7d6d06af4abac8906348c0720b6278a4
- 5974d938bc3bbfc69f68c979a6dc9c412970fc527500735385c33377ab30373a
- c7d02d16e35449bfbd571667d2c571657aa526d58891242884e1f2b81ef932e8
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.