| Name | Bazar |
| Additional Names | Baza, BazarLoader, BazarBackdoor, Bazacall |
| Type of Malware | Dropper and backdoor |
| Location – Country of Origin | Russia |
| Date of initial activity | 2020 |
| Associated Groups | WizardSpider, EXOTIC LILY, TA551, BazaCall |
| Motivation | Designed to target a device, collect sensitive information, control the system via commands, and deliver malware |
| Attack Vectors | Phishing email, call centers to distribute malicious Excel documents that install malware. |
| Targeted System | Microsoft windows |
Overview
Discovered in 2020, Bazar Loader and Bazar Backdoor are used in the initial stages of infection by the WizardSpider cybercrime gang. The loader is responsible for fetching the next stages, and the backdoor is meant for persistence. The infections are usually followed by a full-scale ransomware deployment, using Conti or Ryuk.
Targets
Professional services, healthcare, manufacturing, IT, logistics and travel companies across the US and Europe. Windows Users
Tools/ Techniques Used
Associated Software: KEGTAP, Team9. Bazar is spread in email campaigns. These emails contain a link to a malicious document. The Bazar loader often comes as an executable with a pdf icon. Criminals lure the recipient into opening a webpage to view a pdf version of a fake bonus report, fake customer complaint report, or fake billing statement, etc. Once the victim clicks any hyperlink in the email, it brings the victim to a malicious webpage. The downloaded file is an executable file that uses a PDF document-like icon to deceive the intended victim. By default, Windows hides the actual extension (for example, “.exe”).
The downloaded executable file is recognized as a 64-bit file in the analysis tool, which means it is only able to execute on 64-bit Microsoft Windows Operating Systems. This file is a loader of Bazar. Once the Bazar loader starts, an encrypted Resource that hides in the “Font Directory” is loaded into its memory. The real Bazar loader then initiates communication with its C2 server. The host and URL strings are decrypted from constant data in that stack. Once it passes packet verification, the C2 server replies with an encrypted Bazar payload to the client (Bazar loader). This is decrypted in the API function BCryptDecrypt() that is called by the Bazar loader. Once it passes packet verification, the C2 server replies with an encrypted Bazar payload to the client (Bazar loader). This is decrypted in the API function BCryptDecrypt() that is called by the Bazar loader.
Impact / Significant Attacks
Campaign C0015
Indicators of Compromise (IoCs)
URLs
hxxps[:]//complaintsreport2020[.]gr8[.]com/
hxxps[:]//app[.]getresponse[.]com/lpc_unpublish.html
hxxps[:]//englewoodcarwashh[.]us:443/cgi-bin/req5
Sample SHA-256
[Preview_report20-01.exe]
0BFB64DFF37DD50449AF75EC204F0B4981AC3B16790458F6A492C7B27905A9A7
[Print-report27-01.exe]
6E6C0EBC1BB2D99CE358612572F4BCF52578527EEEF6629FFCE81B35F5FA1A99
