Skip to main content
Bazar Toolset

Bazar is a sophisticated modular toolset designed by the Wizard Spider APT group as a replacement for the infamous Trickbot trojan. Incorporating much of the same functionality as Trickbot, it has seen a marked rise in usage since October.

Report a cyber attack: call 0300 303 5222 or email carecert@nhsdigital.nhs.uk

Summary

Bazar is a sophisticated modular toolset designed by the Wizard Spider APT group as a replacement for the infamous Trickbot trojan. Incorporating much of the same functionality as Trickbot, it has seen a marked rise in usage since October.


Affected platforms

The following platforms are known to be affected:

Threat details

Introduction

First observed in early 2020, Bazar is an advanced multi-component toolset created by the Wizard Spider advanced persistent threat (APT) group for use in their own campaigns.

Bazar consists of two main modules: BazarBackdoor (AKA BazaBackdoor, BeerBot or Syndet) and BazarLoader (AKA BazaLoader, KEGTAP, or YerLoader). Despite sightings going back to April, it appeared to be far less popular with Wizard Spider operators than Trickbot. However, it has seen a substantial rise in usage in the time since Trickbot was taken down, and now appears to be Wizard Spider's primary post-access tool.


Delivery

Bazar components were typically delivered in highly tailored spearphishing campaigns operated through the legitimate email marketing service Sendgrid. These emails contain links to Microsoft Office or Google Docs documents, which themselves contain links to an initial payload. This payload contains a headless preliminary loader; which downloads, unpacks, and loads the BazarLoader module.

Newer Bazar campaigns appear to forego the spam distribution in favour of more direct delivery methods, primarily dropping BazarLoader in human-operated attacks against exposed administration interfaces or remote services.

 


Activities

Once installed on the target system, BazarLoader will sleep for a hardcoded number of seconds before connecting to a command and control (C2) server. Older variants of BazarLoader and BazarBackdoor used the EmerDNS decentralised DNS resolver to connect to C2 domains, whilst newer versions use the standard DNS resolver. C2 domains are dynamically assigned and change every few hours. If successful, BazarLoader downloads an XOR-encrypted BazarBackdoor payload, which it then decrypts and injects it into a running process using both process hollowing and doppelgänging. In most cases, BazarLoader will then remove itself from the target system.

BazarBackdoor will then connect to a separate C2 server using the same infrastructure. It is at this point that Wizard Spider operator's begin actively controlling the malware. Initially, an operator will download a post-exploitation toolkit, typically Cobalt Strike, Metasploit, or Empire. These are then used to gather system and user information, and to enumerate the network via LDAP, SMB, and WMI. They will also attempt to enumerate the Active Directory structure.

When they are satisfied with the information they have collected, Wizard Spider will attempt to harvest credentials using Mimikatz or some other tool. These credentials are then used, in combination with several exploits including EternalBlue and Zerologon, to move laterally to other connected systems, at which point the begin they repeat the process until the entire network is compromised.

Once full network access is achieved, Wizard Spider will drop other tools onto the network, namely Ryuk, or sell access to other attacks. The latest Bazar campaigns are able to achieve full network access in less than 5 hours from initial access.


Threat updates

Date Update
22 Apr 2021 Slack and BaseCamp cloud storage used for malware distribution and BazarCall adds a fake online lending library

BazarLoader's spam campaigns are pointing to cloud storage on popular collaborative software companies BaseCamp and Slack. The attackers are luring employees of large organisations to click on shortened URL links with a fake Adobe PDF icon, which points directly to the malware executable.

BazarCall is now including a fake online lending library called BookPoint. The user receives an email claiming that a free subscription is ending, and they must unsubscribe. When they ring the phone number in the email, a call centre responds and the user is directed to a well-designed website that has an “unsubscribe” button that delivers a malicious document infected with malware.

1 Apr 2021 Call centres used to distribute Bazar Loader and other malware in Distribution-as-a-Service

BazarCall starts with a targeted phishing email which claims that a trial period for a medical service has finished and now the user will be charged the full price of a subscription. The email gives a phone number to cancel the subscription and after placing the call, the user connects with a live person at a call centre.

Once connected with a live person, the user is asked for a ‘unique customer ID’ from the phishing email, which is used to identify the user’s company. From this number, the call centre agent directs the user to a fake website, where they will be prompted to load an Excel document and enable macros. At that point, BazarLoader will be downloaded and executed on a user’s machine. 

This model of running call centres and renting out distribution is known as Distribution-as-a-Service. Used not only for BazarLoader, this BazarCall campaign is also being used to deploy other malware such as TrickBot, IcedID, and Gozi IFSB.

19 Feb 2021 New version of Bazar found to be programmed in Nim language

Reported analysis on a new version of Bazar has found that the toolset has been ported to the Nim programming language. As Nim is rarely used for malware development, it has likely been used to help evade detection by antivirus solutions. The new file hash has been added to the end of the indicators of compromise in this article.


Remediation advice

To prevent and detect an infection, NHS Digital advises that:

  • Secure configurations are applied to all devices.
  • Security updates are applied at the earliest opportunity.
  • Tamper protection settings in security products are enabled where available.
  • Obsolete platforms are segregated from the rest of the network.
  • IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
  • Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
  • Administrative accounts are only used for necessary purposes.
  • Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
  • Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.


Indicators of compromise

Network indicators

IP addresses

  • 164.68.107[.]165
  • 164.132.76[.]76
  • 195.123.241[.]194
  • 37.220.6[.]126
  • 54.37.237[.]253
  • 82.146.37[.]128
  • 85.143.221[.]85
  • 91.235.129[.]64

Domains

  • bestgame[.]bazar
  • bubl6g[.]com
  • coastdeny[.]bazar
  • crowngag[.]bazar
  • eventmoult[.]bazar
  • forgame[.]bazar
  • gate56dc[.]com
  • letcircle[.]bazar
  • newgame[.]bazar
  • portgame[.]bazar
  • rabbitfizz[.]bazar
  • realfish[.]bazar
  • shelfabaft[.]bazar
  • swimchief[.]bazar
  • tallcareful[.]bazar
  • thegame[.]bazar
  • workrepair[.]bazar

URLs

  • https://bubl6g[.]com/api/v202
  • https://bubl6g[.]com/api/v204
  • https://docs[.]google[.]com/document/d/e/2PACX-1vQ2WZ6MMjC7qPmdB_EFnCyHskJ27X7rLc5pAbyxVJSpKKgcN3Q7j_b45gW6ueLliwJr4nEhVRwAM6AI/pub
  • https://docs[.]google[.]com/document/d/e/2PACX-1vQ2WZ6MMjC7qPmdB_EFnCyHskJ27X7rLc5pAbyxVJSpKKgcN3Q7j_b45gW6ueLliwJr4nEhVRwAM6AI/pub
  • https://docs[.]google[.]com/document/d/e/2PACX-1vQ2WZ6MMjC7qPmdB_EFnCyHskJ27X7rLc5pAbyxVJSpKKgcN3Q7j_b45gW6ueLliwJr4nEhVRwAM6AI/pub
  • https://docs[.]google[.]com/document/d/e/2PACX-1vQ2WZ6MMjC7qPmdB_EFnCyHskJ27X7rLc5pAbyxVJSpKKgcN3Q7j_b45gW6ueLliwJr4nEhVRwAM6AI/pub
  • https://docs[.]google[.]com/document/d/e/2PACX-1vRD18SMRqTb8GqUi9OeZbeMGgm3qAKfP94U-8CM7s8W1RlA6CmkpJ5ZZaqAzH07yA-rflst4tJiNJ5g/pub
  • https://docs[.]google[.]com/document/d/e/2PACX-1vSlTDXLKwhIyqkQ8FShYijXNC2SvXoX4_ACfRF_ur-HAItkjzHhEn1CqBaWvTjoI0Jagbe6sdrrBLc5/pub
  • https://docs[.]google[.]com/document/d/e/2PACX-1vSlTDXLKwhIyqkQ8FShYijXNC2SvXoX4_ACfRF_ur-HAItkjzHhEn1CqBaWvTjoI0Jagbe6sdrrBLc5/pub
  • https://docs[.]google[.]com/document/d/e/2PACX-1vSlTDXLKwhIyqkQ8FShYijXNC2SvXoX4_ACfRF_ur-HAItkjzHhEn1CqBaWvTjoI0Jagbe6sdrrBLc5/pub
  • https://docs[.]google[.]com/document/d/e/2PACX-1vSlTDXLKwhIyqkQ8FShYijXNC2SvXoX4_ACfRF_ur-HAItkjzHhEn1CqBaWvTjoI0Jagbe6sdrrBLc5/pub
  • https://docs[.]google[.]com/document/d/e/2PACX-1vSlTDXLKwhIyqkQ8FShYijXNC2SvXoX4_ACfRF_ur-HAItkjzHhEn1CqBaWvTjoI0Jagbe6sdrrBLc5/pub
  • https://docs[.]google[.]com/document/d/e/2PACX-1vSlTDXLKwhIyqkQ8FShYijXNC2SvXoX4_ACfRF_ur-HAItkjzHhEn1CqBaWvTjoI0Jagbe6sdrrBLc5/pub
  • https://docs[.]google[.]com/document/d/e/2PACX-1vSlTDXLKwhIyqkQ8FShYijXNC2SvXoX4_ACfRF_ur-HAItkjzHhEn1CqBaWvTjoI0Jagbe6sdrrBLc5/pub
  • https://docs[.]google[.]com/document/d/e/2PACX-1vSlTDXLKwhIyqkQ8FShYijXNC2SvXoX4_ACfRF_ur-HAItkjzHhEn1CqBaWvTjoI0Jagbe6sdrrBLc5/pub
  • https://docs[.]google[.]com/document/d/e/2PACX-1vSlTDXLKwhIyqkQ8FShYijXNC2SvXoX4_ACfRF_ur-HAItkjzHhEn1CqBaWvTjoI0Jagbe6sdrrBLc5/pub
  • https://docs[.]google[.]com/document/d/e/2PACX-1vSlTDXLKwhIyqkQ8FShYijXNC2SvXoX4_ACfRF_ur-HAItkjzHhEn1CqBaWvTjoI0Jagbe6sdrrBLc5/pub
  • https://docs[.]google[.]com/document/d/e/2PACX-1vTqAijwQf6TANg8btSvoufjRDvTk2t8je8dU0h6QcoXDQBvfa8FD0RgC15_s85o8n6Orp-WcWk4Mm-v/pub
  • https://docs[.]google[.]com/document/d/e/2PACX-1vTqAijwQf6TANg8btSvoufjRDvTk2t8je8dU0h6QcoXDQBvfa8FD0RgC15_s85o8n6Orp-WcWk4Mm-v/pub
  • https://docs[.]google[.]com/document/d/e/2PACX-1vTqAijwQf6TANg8btSvoufjRDvTk2t8je8dU0h6QcoXDQBvfa8FD0RgC15_s85o8n6Orp-WcWk4Mm-v/pub
  • https://docs[.]google[.]com/document/d/e/2PACX-1vTqAijwQf6TANg8btSvoufjRDvTk2t8je8dU0h6QcoXDQBvfa8FD0RgC15_s85o8n6Orp-WcWk4Mm-v/pub
  • https://docs[.]google[.]com/document/d/e/2PACX-1vTqAijwQf6TANg8btSvoufjRDvTk2t8je8dU0h6QcoXDQBvfa8FD0RgC15_s85o8n6Orp-WcWk4Mm-v/pub
  • https://docs[.]google[.]com/document/d/e/2PACX-1vTqAijwQf6TANg8btSvoufjRDvTk2t8je8dU0h6QcoXDQBvfa8FD0RgC15_s85o8n6Orp-WcWk4Mm-v/pub
  • https://docs[.]google[.]com/document/d/e/2PACX-1vTqAijwQf6TANg8btSvoufjRDvTk2t8je8dU0h6QcoXDQBvfa8FD0RgC15_s85o8n6Orp-WcWk4Mm-v/pub
  • https://docs[.]google[.]com/document/d/e/2PACX-1vTqAijwQf6TANg8btSvoufjRDvTk2t8je8dU0h6QcoXDQBvfa8FD0RgC15_s85o8n6Orp-WcWk4Mm-v/pub
  • https://docs[.]google[.]com/document/d/e/2PACX-1vTqAijwQf6TANg8btSvoufjRDvTk2t8je8dU0h6QcoXDQBvfa8FD0RgC15_s85o8n6Orp-WcWk4Mm-v/pub
  • https://docs[.]google[.]com/document/d/e/2PACX-1vTqAijwQf6TANg8btSvoufjRDvTk2t8je8dU0h6QcoXDQBvfa8FD0RgC15_s85o8n6Orp-WcWk4Mm-v/pub
  • https://docs[.]google[.]com/document/d/e/2PACX-1vTsGuzrSsTi8jhbKyvPUKNA9m5Pk_B40cV9PpZOAWss34w_n8Xm07KA2uX4U_CNP6Wr_8AZbm8BIRVu/pub
  • https://docs[.]google[.]com/document/d/e/2PACX-1vTsGuzrSsTi8jhbKyvPUKNA9m5Pk_B40cV9PpZOAWss34w_n8Xm07KA2uX4U_CNP6Wr_8AZbm8BIRVu/pub
  • https://gate56dc[.]com/23c55b2cb0637e6dfa0f80a62ca03dc3/2
  • https://gate56dc[.]com/23c55b2cb0637e6dfa0f80a62ca03dc3/4

Email addresses

  • assist@onlyfruit[.]net
  • assistance@onlyfruit[.]net
  • centeraloffice@sd[.]anglersarsenal[.]com
  • headoffice@on[.]ramacomputers[.]ca
  • headoffice@pw[.]bigrockinmom[.]com
  • headoffice@ssl[.]raazfood[.]ca
  • info@sgcpromo[.]com
  • managementoffice@sec[.]raazfoods[.]com
  • no-reply@telecombill[.]net
  • office@sw[.]associatedsantabarbara[.]com
  • office@wd[.]makingfitfit[.]com
  • support@mooveru[.]com
  • support@mygritwire[.]com
  • support@reflexionesdiarias[.]net

Host indicators

SHA256 hashes

  • 0a8c7472081c60915acbc053370f9460ba4a05bcaec3cdc552b892c945b9eab3
  • 0d57d97a4f4d391b04cda27b0e518e4a91c4fa386e201e672ff8ee38811b9721
  • 11b5adaefd04ffdaceb9539f95647b1f51aec2117d71ece061f15a2621f1ece9
  • 1e123a6c5d65084ca6ea78a26ec4bebcfc4800642fec480d1ceeafb1cacaaa83
  • 4e4f9a467dd041e6a76e2ea5d57b28fe5a3267b251055bf2172d9ce38bea6b1f
  • 534d60392e0202b24d3fdaf992f299ef1af1fb5efef0096dd835fe5c4e30b0fa
  • 55d95d9486d77df6ac79bb25eb8b8778940bac27021249f779198e05a2e1edae
  • 5974d938bc3bbfc69f68c979a6dc9c412970fc527500735385c33377ab30373a
  • 5a888d05804d06190f7fc408bede9da0423678c8f6eca37ecce83791de4df83d
  • 5baf3ed66cf237266e3c96de431156b34b6c378b4f0b89998946c920fff99a35
  • 67ffdd2e3cab811ba06287c21133b46bb5d583d7d0ca11dc7aa4e83f026a50cc
  • 75a550d133ffb6f585689e3ac97bb59336df4ba718011ab2ba668da4fbfde1a2
  • 7c93d9175a38c23d44d76d9a883f7f3da1e244c2ab6c3ac9f29a9c9e20d20a5f
  • 81670800269207713d8cf4ae90f9a38e5d5ef49d54a48b754b53b75cff2aad78
  • 835edf1ec33ff1436d354aa52e2e180e3e8f7500e9d261d1ff26aa6daddffc55
  • 859fa9acf0b8a989a1634a1eee309355438b9f6b6f73b69f12d53ac534618c6a
  • 8a1fe2a0b4cf7f68e8239cc42cebd23a2905b6ec1b2fae51bc0ae37c84006aba
  • aed1b701e22a2c00b04020372f1fd2d534f4d097c35aedd618934804cd5b9795
  • b23504990949945298994fe36a74f143e6534c45c9b7186451f46891e117da6e
  • be823c611202f5a0ced2fd3cea533ef2eb050666442d8c747326fcd3c764918a
  • ca8194e9a1232e508619269bdf9a9c71c4b76e7852d86ed18f02088229b0f7c7
  • f193a4ad2e4e1f8e22de92775364aae6d6de6151574910cb754be442ecc53635
  • 397e4dc12d48fb0c4d80980643581c9416a4bed022d4676f30218fb1f1e1811c (added February 2021)

Last edited: 22 April 2021 11:31 am