Bazar Toolset

Bazar is a sophisticated modular toolset designed by the Wizard Spider APT group as a replacement for the infamous Trickbot trojan. Incorporating much of the same functionality as Trickbot, it has seen a marked rise in usage since October.

Threat ID:: CC-3655
Category:: Backdoor, Loader, Trojan
Threat Severity:: Medium
Threat Vector:: Email spam, Insecure network
Published:: 2 November 2020 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

Threat details

Introduction

First observed in early 2020, Bazar is an advanced multi-component toolset created by the Wizard Spider advanced persistent threat (APT) group for use in their own campaigns.

Bazar consists of two main modules: BazarBackdoor (AKA BazaBackdoor, BeerBot or Syndet) and BazarLoader (AKA BazaLoader, KEGTAP, or YerLoader). Despite sightings going back to April, it appeared to be far less popular with Wizard Spider operators than Trickbot. However, it has seen a substantial rise in usage in the time since Trickbot was taken down, and now appears to be Wizard Spider's primary post-access tool.

Delivery

Bazar components were typically delivered in highly tailored spearphishing campaigns operated through the legitimate email marketing service Sendgrid. These emails contain links to Microsoft Office or Google Docs documents, which themselves contain links to an initial payload. This payload contains a headless preliminary loader; which downloads, unpacks, and loads the BazarLoader module.

Newer Bazar campaigns appear to forego the spam distribution in favour of more direct delivery methods, primarily dropping BazarLoader in human-operated attacks against exposed administration interfaces or remote services.

Activities

Once installed on the target system, BazarLoader will sleep for a hardcoded number of seconds before connecting to a command and control (C2) server. Older variants of BazarLoader and BazarBackdoor used the EmerDNS decentralised DNS resolver to connect to C2 domains, whilst newer versions use the standard DNS resolver. C2 domains are dynamically assigned and change every few hours. If successful, BazarLoader downloads an XOR-encrypted BazarBackdoor payload, which it then decrypts and injects it into a running process using both process hollowing and doppelgänging. In most cases, BazarLoader will then remove itself from the target system.

BazarBackdoor will then connect to a separate C2 server using the same infrastructure. It is at this point that Wizard Spider operator's begin actively controlling the malware. Initially, an operator will download a post-exploitation toolkit, typically Cobalt Strike, Metasploit, or Empire. These are then used to gather system and user information, and to enumerate the network via LDAP, SMB, and WMI. They will also attempt to enumerate the Active Directory structure.

When they are satisfied with the information they have collected, Wizard Spider will attempt to harvest credentials using Mimikatz or some other tool. These credentials are then used, in combination with several exploits including EternalBlue and Zerologon, to move laterally to other connected systems, at which point the begin they repeat the process until the entire network is compromised.

Once full network access is achieved, Wizard Spider will drop other tools onto the network, namely Ryuk, or sell access to other attacks. The latest Bazar campaigns are able to achieve full network access in less than 5 hours from initial access.

Threat updates

Date	Update
22 Apr 2021	Slack and BaseCamp cloud storage used for malware distribution and BazarCall adds a fake online lending library BazarLoader's spam campaigns are pointing to cloud storage on popular collaborative software companies BaseCamp and Slack. The attackers are luring employees of large organisations to click on shortened URL links with a fake Adobe PDF icon, which points directly to the malware executable. BazarCall is now including a fake online lending library called BookPoint. The user receives an email claiming that a free subscription is ending, and they must unsubscribe. When they ring the phone number in the email, a call centre responds and the user is directed to a well-designed website that has an “unsubscribe” button that delivers a malicious document infected with malware.
1 Apr 2021	Call centres used to distribute Bazar Loader and other malware in Distribution-as-a-Service BazarCall starts with a targeted phishing email which claims that a trial period for a medical service has finished and now the user will be charged the full price of a subscription. The email gives a phone number to cancel the subscription and after placing the call, the user connects with a live person at a call centre. Once connected with a live person, the user is asked for a ‘unique customer ID’ from the phishing email, which is used to identify the user’s company. From this number, the call centre agent directs the user to a fake website, where they will be prompted to load an Excel document and enable macros. At that point, BazarLoader will be downloaded and executed on a user’s machine. This model of running call centres and renting out distribution is known as Distribution-as-a-Service. Used not only for BazarLoader, this BazarCall campaign is also being used to deploy other malware such as TrickBot, IcedID, and Gozi IFSB.
19 Feb 2021	New version of Bazar found to be programmed in Nim language Reported analysis on a new version of Bazar has found that the toolset has been ported to the Nim programming language. As Nim is rarely used for malware development, it has likely been used to help evade detection by antivirus solutions. The new file hash has been added to the end of the indicators of compromise in this article.

Date

Update

22 Apr 2021

Slack and BaseCamp cloud storage used for malware distribution and BazarCall adds a fake online lending library

BazarLoader's spam campaigns are pointing to cloud storage on popular collaborative software companies BaseCamp and Slack. The attackers are luring employees of large organisations to click on shortened URL links with a fake Adobe PDF icon, which points directly to the malware executable.

BazarCall is now including a fake online lending library called BookPoint. The user receives an email claiming that a free subscription is ending, and they must unsubscribe. When they ring the phone number in the email, a call centre responds and the user is directed to a well-designed website that has an “unsubscribe” button that delivers a malicious document infected with malware.

1 Apr 2021

Call centres used to distribute Bazar Loader and other malware in Distribution-as-a-Service

BazarCall starts with a targeted phishing email which claims that a trial period for a medical service has finished and now the user will be charged the full price of a subscription. The email gives a phone number to cancel the subscription and after placing the call, the user connects with a live person at a call centre.

Once connected with a live person, the user is asked for a ‘unique customer ID’ from the phishing email, which is used to identify the user’s company. From this number, the call centre agent directs the user to a fake website, where they will be prompted to load an Excel document and enable macros. At that point, BazarLoader will be downloaded and executed on a user’s machine.

This model of running call centres and renting out distribution is known as Distribution-as-a-Service. Used not only for BazarLoader, this BazarCall campaign is also being used to deploy other malware such as TrickBot, IcedID, and Gozi IFSB.

19 Feb 2021

New version of Bazar found to be programmed in Nim language

Reported analysis on a new version of Bazar has found that the toolset has been ported to the Nim programming language. As Nim is rarely used for malware development, it has likely been used to help evade detection by antivirus solutions. The new file hash has been added to the end of the indicators of compromise in this article.

Remediation advice

To prevent and detect an infection, NHS Digital advises that:

Secure configurations are applied to all devices.
Security updates are applied at the earliest opportunity.
Tamper protection settings in security products are enabled where available.
Obsolete platforms are segregated from the rest of the network.
IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
Administrative accounts are only used for necessary purposes.
Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Indicators of compromise

Network indicators

IP addresses

164.68.107[.]165
164.132.76[.]76
195.123.241[.]194
37.220.6[.]126
54.37.237[.]253
82.146.37[.]128
85.143.221[.]85
91.235.129[.]64

Domains

bestgame[.]bazar
bubl6g[.]com
coastdeny[.]bazar
crowngag[.]bazar
eventmoult[.]bazar
forgame[.]bazar
gate56dc[.]com
letcircle[.]bazar
newgame[.]bazar
portgame[.]bazar
rabbitfizz[.]bazar
realfish[.]bazar
shelfabaft[.]bazar
swimchief[.]bazar
tallcareful[.]bazar
thegame[.]bazar
workrepair[.]bazar

URLs

https://bubl6g[.]com/api/v202
https://bubl6g[.]com/api/v204
https://docs[.]google[.]com/document/d/e/2PACX-1vQ2WZ6MMjC7qPmdB_EFnCyHskJ27X7rLc5pAbyxVJSpKKgcN3Q7j_b45gW6ueLliwJr4nEhVRwAM6AI/pub
https://docs[.]google[.]com/document/d/e/2PACX-1vQ2WZ6MMjC7qPmdB_EFnCyHskJ27X7rLc5pAbyxVJSpKKgcN3Q7j_b45gW6ueLliwJr4nEhVRwAM6AI/pub
https://docs[.]google[.]com/document/d/e/2PACX-1vQ2WZ6MMjC7qPmdB_EFnCyHskJ27X7rLc5pAbyxVJSpKKgcN3Q7j_b45gW6ueLliwJr4nEhVRwAM6AI/pub
https://docs[.]google[.]com/document/d/e/2PACX-1vQ2WZ6MMjC7qPmdB_EFnCyHskJ27X7rLc5pAbyxVJSpKKgcN3Q7j_b45gW6ueLliwJr4nEhVRwAM6AI/pub
https://docs[.]google[.]com/document/d/e/2PACX-1vRD18SMRqTb8GqUi9OeZbeMGgm3qAKfP94U-8CM7s8W1RlA6CmkpJ5ZZaqAzH07yA-rflst4tJiNJ5g/pub
https://docs[.]google[.]com/document/d/e/2PACX-1vSlTDXLKwhIyqkQ8FShYijXNC2SvXoX4_ACfRF_ur-HAItkjzHhEn1CqBaWvTjoI0Jagbe6sdrrBLc5/pub
https://docs[.]google[.]com/document/d/e/2PACX-1vSlTDXLKwhIyqkQ8FShYijXNC2SvXoX4_ACfRF_ur-HAItkjzHhEn1CqBaWvTjoI0Jagbe6sdrrBLc5/pub
https://docs[.]google[.]com/document/d/e/2PACX-1vSlTDXLKwhIyqkQ8FShYijXNC2SvXoX4_ACfRF_ur-HAItkjzHhEn1CqBaWvTjoI0Jagbe6sdrrBLc5/pub
https://docs[.]google[.]com/document/d/e/2PACX-1vSlTDXLKwhIyqkQ8FShYijXNC2SvXoX4_ACfRF_ur-HAItkjzHhEn1CqBaWvTjoI0Jagbe6sdrrBLc5/pub
https://docs[.]google[.]com/document/d/e/2PACX-1vSlTDXLKwhIyqkQ8FShYijXNC2SvXoX4_ACfRF_ur-HAItkjzHhEn1CqBaWvTjoI0Jagbe6sdrrBLc5/pub
https://docs[.]google[.]com/document/d/e/2PACX-1vSlTDXLKwhIyqkQ8FShYijXNC2SvXoX4_ACfRF_ur-HAItkjzHhEn1CqBaWvTjoI0Jagbe6sdrrBLc5/pub
https://docs[.]google[.]com/document/d/e/2PACX-1vSlTDXLKwhIyqkQ8FShYijXNC2SvXoX4_ACfRF_ur-HAItkjzHhEn1CqBaWvTjoI0Jagbe6sdrrBLc5/pub
https://docs[.]google[.]com/document/d/e/2PACX-1vSlTDXLKwhIyqkQ8FShYijXNC2SvXoX4_ACfRF_ur-HAItkjzHhEn1CqBaWvTjoI0Jagbe6sdrrBLc5/pub
https://docs[.]google[.]com/document/d/e/2PACX-1vSlTDXLKwhIyqkQ8FShYijXNC2SvXoX4_ACfRF_ur-HAItkjzHhEn1CqBaWvTjoI0Jagbe6sdrrBLc5/pub
https://docs[.]google[.]com/document/d/e/2PACX-1vSlTDXLKwhIyqkQ8FShYijXNC2SvXoX4_ACfRF_ur-HAItkjzHhEn1CqBaWvTjoI0Jagbe6sdrrBLc5/pub
https://docs[.]google[.]com/document/d/e/2PACX-1vTqAijwQf6TANg8btSvoufjRDvTk2t8je8dU0h6QcoXDQBvfa8FD0RgC15_s85o8n6Orp-WcWk4Mm-v/pub
https://docs[.]google[.]com/document/d/e/2PACX-1vTqAijwQf6TANg8btSvoufjRDvTk2t8je8dU0h6QcoXDQBvfa8FD0RgC15_s85o8n6Orp-WcWk4Mm-v/pub
https://docs[.]google[.]com/document/d/e/2PACX-1vTqAijwQf6TANg8btSvoufjRDvTk2t8je8dU0h6QcoXDQBvfa8FD0RgC15_s85o8n6Orp-WcWk4Mm-v/pub
https://docs[.]google[.]com/document/d/e/2PACX-1vTqAijwQf6TANg8btSvoufjRDvTk2t8je8dU0h6QcoXDQBvfa8FD0RgC15_s85o8n6Orp-WcWk4Mm-v/pub
https://docs[.]google[.]com/document/d/e/2PACX-1vTqAijwQf6TANg8btSvoufjRDvTk2t8je8dU0h6QcoXDQBvfa8FD0RgC15_s85o8n6Orp-WcWk4Mm-v/pub
https://docs[.]google[.]com/document/d/e/2PACX-1vTqAijwQf6TANg8btSvoufjRDvTk2t8je8dU0h6QcoXDQBvfa8FD0RgC15_s85o8n6Orp-WcWk4Mm-v/pub
https://docs[.]google[.]com/document/d/e/2PACX-1vTqAijwQf6TANg8btSvoufjRDvTk2t8je8dU0h6QcoXDQBvfa8FD0RgC15_s85o8n6Orp-WcWk4Mm-v/pub
https://docs[.]google[.]com/document/d/e/2PACX-1vTqAijwQf6TANg8btSvoufjRDvTk2t8je8dU0h6QcoXDQBvfa8FD0RgC15_s85o8n6Orp-WcWk4Mm-v/pub
https://docs[.]google[.]com/document/d/e/2PACX-1vTqAijwQf6TANg8btSvoufjRDvTk2t8je8dU0h6QcoXDQBvfa8FD0RgC15_s85o8n6Orp-WcWk4Mm-v/pub
https://docs[.]google[.]com/document/d/e/2PACX-1vTqAijwQf6TANg8btSvoufjRDvTk2t8je8dU0h6QcoXDQBvfa8FD0RgC15_s85o8n6Orp-WcWk4Mm-v/pub
https://docs[.]google[.]com/document/d/e/2PACX-1vTsGuzrSsTi8jhbKyvPUKNA9m5Pk_B40cV9PpZOAWss34w_n8Xm07KA2uX4U_CNP6Wr_8AZbm8BIRVu/pub
https://docs[.]google[.]com/document/d/e/2PACX-1vTsGuzrSsTi8jhbKyvPUKNA9m5Pk_B40cV9PpZOAWss34w_n8Xm07KA2uX4U_CNP6Wr_8AZbm8BIRVu/pub
https://gate56dc[.]com/23c55b2cb0637e6dfa0f80a62ca03dc3/2
https://gate56dc[.]com/23c55b2cb0637e6dfa0f80a62ca03dc3/4

Email addresses

assist@onlyfruit[.]net
assistance@onlyfruit[.]net
centeraloffice@sd[.]anglersarsenal[.]com
headoffice@on[.]ramacomputers[.]ca
headoffice@pw[.]bigrockinmom[.]com
headoffice@ssl[.]raazfood[.]ca
info@sgcpromo[.]com
managementoffice@sec[.]raazfoods[.]com
no-reply@telecombill[.]net
office@sw[.]associatedsantabarbara[.]com
office@wd[.]makingfitfit[.]com
support@mooveru[.]com
support@mygritwire[.]com
support@reflexionesdiarias[.]net

Host indicators

SHA256 hashes

0a8c7472081c60915acbc053370f9460ba4a05bcaec3cdc552b892c945b9eab3
0d57d97a4f4d391b04cda27b0e518e4a91c4fa386e201e672ff8ee38811b9721
11b5adaefd04ffdaceb9539f95647b1f51aec2117d71ece061f15a2621f1ece9
1e123a6c5d65084ca6ea78a26ec4bebcfc4800642fec480d1ceeafb1cacaaa83
4e4f9a467dd041e6a76e2ea5d57b28fe5a3267b251055bf2172d9ce38bea6b1f
534d60392e0202b24d3fdaf992f299ef1af1fb5efef0096dd835fe5c4e30b0fa
55d95d9486d77df6ac79bb25eb8b8778940bac27021249f779198e05a2e1edae
5974d938bc3bbfc69f68c979a6dc9c412970fc527500735385c33377ab30373a
5a888d05804d06190f7fc408bede9da0423678c8f6eca37ecce83791de4df83d
5baf3ed66cf237266e3c96de431156b34b6c378b4f0b89998946c920fff99a35
67ffdd2e3cab811ba06287c21133b46bb5d583d7d0ca11dc7aa4e83f026a50cc
75a550d133ffb6f585689e3ac97bb59336df4ba718011ab2ba668da4fbfde1a2
7c93d9175a38c23d44d76d9a883f7f3da1e244c2ab6c3ac9f29a9c9e20d20a5f
81670800269207713d8cf4ae90f9a38e5d5ef49d54a48b754b53b75cff2aad78
835edf1ec33ff1436d354aa52e2e180e3e8f7500e9d261d1ff26aa6daddffc55
859fa9acf0b8a989a1634a1eee309355438b9f6b6f73b69f12d53ac534618c6a
8a1fe2a0b4cf7f68e8239cc42cebd23a2905b6ec1b2fae51bc0ae37c84006aba
aed1b701e22a2c00b04020372f1fd2d534f4d097c35aedd618934804cd5b9795
b23504990949945298994fe36a74f143e6534c45c9b7186451f46891e117da6e
be823c611202f5a0ced2fd3cea533ef2eb050666442d8c747326fcd3c764918a
ca8194e9a1232e508619269bdf9a9c71c4b76e7852d86ed18f02088229b0f7c7
f193a4ad2e4e1f8e22de92775364aae6d6de6151574910cb754be442ecc53635
397e4dc12d48fb0c4d80980643581c9416a4bed022d4676f30218fb1f1e1811c (added February 2021)

Definitive source of threat updates

Last edited: 22 April 2021 12:31 pm