Request a Demo
Rewterz
Rewterz Threat Advisory – Cisco Small Business 100, 300, and 500 Series Wireless Access Points Command Injection Vulnerabilities
May 20, 2021
Rewterz
Rewterz Threat Advisory – VMware Workstation Multiple Vulnerabilities
May 21, 2021

Rewterz Threat Alert – The BazarCall Method BazarLoader Malware Uses – Active IOCs

Severity

High

Analysis Summary

The BazarLoader malware is a small backdoor (a TrickBot adjacent malware) to an infected victim Windows host. BazarLoader currently uses a BazarCall method that infects the victim’s system and provides cybercriminals with backdoors that can be used in the future to send follow-up malware, scan the environment and exploit other vulnerable hosts on the network.

Researchers have reported the latest method used by threat actors to spread the malware; the call-center-based bazarLoader distribution method utilizes emails with a trial subscription-based theme that encourages potential victims to call a phone number. The victim is hoodwinked into thinking that they have subscribed to a service they didn’t sign up for and are directed to call a certain number for help. The call center operator directs the victim into downloading an infected excel sheet that is installed upon unsubscribing from the service.

The following chain of events takes place in the BazarCall Method:

  • A trial subscription-themed email is received by the victim that directs them to call a phone number to a call center for assistance.
  • The victim calls the phone number to unsubscribe from the service.
  • The call center operator guides them to a fake company website.
  • Upon clicking the unsubscribe option, a Microsoft Excel file is downloaded from the website.
  • The call center operator instructs the victim to enable macros on the downloaded Excel file.
  • The BazarLoader Malware is installed on the system.
  • The victim is informed by the call center operator that the unsubscription was successful.
  • BazarLoader generates command and control (C2) traffic from the infected Windows host.
  • Backdoor access through BazarLoader leads to post-infection activities.
advisory-1621575984.jpeg

Impact

Data Breach

Affected Vendors

Microsoft

Affected Products

Windows

Indicators of Compromise

Destination IP

  • 198[.]54[.]117[.]244
  • 176[.]111[.]174[.]57
  • 176[.]111[.]174[.]58
  • 176[.]111[.]174[.]61
  • 176[.]111[.]174[.]62
  • 198[.]54[.]117[.]244
  • 104[.]21[.]74[.]174
  • 172[.]67[.]160[.]87
  • 176[.]111[.]174[.]57
  • 82[.]194[.]74[.]104

MD5

  • 14089c2d5a4207dd80f71fb258200848
  • 5ad4845793b5dc3308172b39f3c3dbc7
  • dc37192b5c4c8c4f94c73c18ce5e3829

SHA-256

  • ae1a1fcbc0f32a7c53cee9c5d27583d21309d824e1524f85812e4b6abad8de4e
  • 0055ea96cd5145ea54f3e0bd488451c1a814dd1969160cb18137922a884ffa5e
  • 09affa7f8e253edd9d4deda4413fba040829ff95b9263dda6f6bf8f269e27c0b
  • f617eaecc30a486198c85981d07f22b090c7f3c1cd88565a87865f58ec479857
  • 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
  • f3b5cf1e40aed4567a8996cf107285907d432b4bc8cc3d0b46aae628813d82d4
  • 2632c0cc222a6d436b50a418605a7bd4fa8f363ab8d93d10b831cdb28a2ac1bc
  • db53f42e13d2685bd34dbc5c79fad637c9344e72e210ca05504420874e98c2a6
  • 975ea7fce484089ec7d54b0abf2eecc16a1d04cd3e610a9e67cc3ae2885f3899
  • f28d451125fe14399cf4107e65ff11c49edf899a9d256563d177bce4880e9dd0
  • fb94f0c62b1eb990c2c39413cda78b45690e275aceb85af58bb84c887fc4bb67
  • c1add84da66b44da51f1ce07c4d1afafa84aa8ad19092bb04f57c0d627a70b0d
  • 536d1a135f6f0a9bc337108a2b10ce81515c5bc26b654ec9f8e4b5e53d06c959
  • c51bf8c74311b8941dca2f63a0850e61c1058af6af0ac42d81c2d85cd64d37cb
  • 2e5275c35b262674705f3c2bd6becc80a067f2660798881d0f5344ac97bd592d
  • 5b05cae0880543c3adc28a2d5a45af4931de6d2b4197d2d3c26e4471dd4cf2a8
  • fa5df8c17cdbe12483e369e947f545578ee14ae87a3f4af656cf62dc5e7aa81a

SHA1

  • 80fa3d47f321108d7c956680ac1b1f5c611d6277
  • 4285a93ec1a49f28cb2542af2a2bafc08e4f8a18
  • 0aa6bb11a11dade2269d90b2781ed0a517362012

URL

  • http[:]//whynt[.]xyz/campo/w/w
  • http[:]//veso2[.]xyz/campo/r/r1
  • http[:]//about2[.]xyz/campo/a/a1
  • http[:]//basket2[.]xyz/campo/u/u1
  • http[:]//dance4[.]xyz/campo/d8/d9
  • https[:]//www[.]gnu[.]org/software/campo/d8/d9
  • http[:]//glass3[.]xyz/campo/gl/gl3
  • http[:]//idea5[.]xyz/campo/id/id8
  • http[:]//keep2[.]xyz/campo/jl/jl7
  • http[:]//whynt[.]xyz/uploads/files/dl8x64[.]exe
  • http[:]//admin[.]yougleeindia[.]in/theme/js/plugins/o1e[.]exe
  • http[:]//admin[.]yougleeindia[.]in/theme/js/plugins/rt3ret3[.]exe
  • http[:]//about2[.]xyz/uploads/files/ret5er[.]exe
  • http[:]//www[.]carsidecor[.]com/wp-content/uploads/2021/04/cv76[.]exe
  • http[:]//dance4[.]xyz/uploads/files/10r3[.]exe
  • http[:]//glass3[.]xyz/uploads/files/hah5[.]exe
  • http[:]//idea5[.]xyz/uploads/files/ratan[.]exe
  • http[:]//idea5[.]xyz/uploads/files/rets[.]exe
  • http[:]//keep2[.]xyz/uploads/files/suka[.]exe

Remediation

  • Download the latest patches for all products.
  • Keep Windows up-to-date.
  • Practice cyber vigilance online and maintain healthy internet habits.
  • Keep an eye out for malicious emails and upgrade spam properties in email applications.
  • Never download files from malicious websites.
  • Run and update anti-virus software regularly.