S0534 Bazar
Bazar is a downloader and backdoor that has been used since at least April 2020, with infections primarily against professional services, healthcare, manufacturing, IT, logistics and travel companies across the US and Europe. Bazar reportedly has ties to TrickBot campaigns and can be used to deploy additional malware, including ransomware, and to steal sensitive data.1
| Item | Value |
|---|---|
| ID | S0534 |
| Associated Names | KEGTAP, Team9 |
| Type | MALWARE |
| Version | 1.2 |
| Created | 18 November 2020 |
| Last Modified | 29 September 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| KEGTAP | 24 |
| Team9 | 13 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1087 | Account Discovery | - |
| enterprise | T1087.001 | Local Account | Bazar can identify administrator accounts on an infected host.3 |
| enterprise | T1087.002 | Domain Account | Bazar has the ability to identify domain administrator accounts.36 |
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Bazar can use HTTP and HTTPS over ports 80 and 443 in C2 communications.137 |
| enterprise | T1197 | BITS Jobs | Bazar has been downloaded via Windows BITS functionality.3 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | Bazar can create or add files to Registry Run Keys to establish persistence.13 |
| enterprise | T1547.004 | Winlogon Helper DLL | Bazar can use Winlogon Helper DLL to establish persistence.5 |
| enterprise | T1547.009 | Shortcut Modification | Bazar can establish persistence by writing shortcuts to the Windows Startup folder.13 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | Bazar can execute a PowerShell script received from C2.34 |
| enterprise | T1059.003 | Windows Command Shell | Bazar can launch cmd.exe to perform reconnaissance commands.15 |
| enterprise | T1005 | Data from Local System | Bazar can retrieve information from the infected machine.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Bazar can decrypt downloaded payloads. Bazar also resolves strings and other artifacts at runtime.13 |
| enterprise | T1482 | Domain Trust Discovery | Bazar can use Nltest tools to obtain information about the domain.13 |
| enterprise | T1568 | Dynamic Resolution | - |
| enterprise | T1568.002 | Domain Generation Algorithms | Bazar can implement DGA using the current date as a seed variable.1 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | Bazar can send C2 communications with XOR encryption.3 |
| enterprise | T1573.002 | Asymmetric Cryptography | Bazar can use TLS in C2 communications.5 |
| enterprise | T1008 | Fallback Channels | Bazar has the ability to use an alternative C2 server if the primary server fails.3 |
| enterprise | T1083 | File and Directory Discovery | Bazar can enumerate the victim’s desktop.13 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.001 | Disable or Modify Tools | Bazar has manually loaded ntdll from disk in order to identity and remove API hooks set by security products.3 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | Bazar can delete its loader using a batch file in the Windows temporary folder.3 |
| enterprise | T1070.009 | Clear Persistence | Bazar‘s loader can delete scheduled tasks created by a previous instance of the malware.3 |
| enterprise | T1105 | Ingress Tool Transfer | Bazar can download and deploy additional payloads, including ransomware and post-exploitation frameworks such as Cobalt Strike.1534 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.004 | Masquerade Task or Service | Bazar can create a task named to appear benign.1 |
| enterprise | T1036.005 | Match Legitimate Name or Location | The Bazar loader has named malicious shortcuts “adobe” and mimicked communications software.134 |
| enterprise | T1036.007 | Double File Extension | The Bazar loader has used dual-extension executable files such as PreviewReport.DOC.exe.1 |
| enterprise | T1104 | Multi-Stage Channels | The Bazar loader is used to download and execute the Bazar backdoor.15 |
| enterprise | T1106 | Native API | Bazar can use various APIs to allocate memory and facilitate code execution/injection.1 |
| enterprise | T1135 | Network Share Discovery | Bazar can enumerate shared drives on the domain.3 |
| enterprise | T1027 | Obfuscated Files or Information | Bazar has used XOR, RSA2, and RC4 encrypted files.134 |
| enterprise | T1027.002 | Software Packing | Bazar has a variant with a packed payload.15 |
| enterprise | T1027.007 | Dynamic API Resolution | Bazar can hash then resolve API calls at runtime.13 |
| enterprise | T1566 | Phishing | - |
| enterprise | T1566.002 | Spearphishing Link | Bazar has been spread via emails with embedded malicious links.154 |
| enterprise | T1057 | Process Discovery | Bazar can identity the current process on a compromised host.1 |
| enterprise | T1055 | Process Injection | Bazar can inject code through calling VirtualAllocExNuma.1 |
| enterprise | T1055.012 | Process Hollowing | Bazar can inject into a target process including Svchost, Explorer, and cmd using process hollowing.13 |
| enterprise | T1055.013 | Process Doppelgänging | Bazar can inject into a target process using process doppelgänging.13 |
| enterprise | T1012 | Query Registry | Bazar can query Windows\CurrentVersion\Uninstall for installed applications.13 |
| enterprise | T1018 | Remote System Discovery | Bazar can enumerate remote systems using Net View.1 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | Bazar can create a scheduled task for persistence.13 |
| enterprise | T1518 | Software Discovery | Bazar can query the Registry for installed applications.1 |
| enterprise | T1518.001 | Security Software Discovery | Bazar can identify the installed antivirus engine.1 |
| enterprise | T1553 | Subvert Trust Controls | - |
| enterprise | T1553.002 | Code Signing | Bazar has been signed with fake certificates including those appearing to be from VB CORPORATE PTY. LTD.1 |
| enterprise | T1082 | System Information Discovery | Bazar can fingerprint architecture, computer name, and OS version on the compromised host. Bazar can also check if the Russian language is installed on the infected machine and terminate if it is found.13 |
| enterprise | T1614 | System Location Discovery | - |
| enterprise | T1614.001 | System Language Discovery | Bazar can perform a check to ensure that the operating system’s keyboard and language settings are not set to Russian.3 |
| enterprise | T1016 | System Network Configuration Discovery | Bazar can collect the IP address and NetBIOS name of an infected machine.1 |
| enterprise | T1033 | System Owner/User Discovery | Bazar can identify the username of the infected user.3 |
| enterprise | T1124 | System Time Discovery | Bazar can collect the time on the compromised host.13 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.001 | Malicious Link | Bazar can gain execution after a user clicks on a malicious link to decoy landing pages hosted on Google Docs.154 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | Bazar can attempt to overload sandbox analysis by sending 1550 calls to printf.1 |
| enterprise | T1497.003 | Time Based Evasion | Bazar can use a timer to delay execution of core functionality.3 |
| enterprise | T1102 | Web Service | Bazar downloads have been hosted on Google Docs.15 |
| enterprise | T1047 | Windows Management Instrumentation | Bazar can execute a WMI query to gather information about the installed antivirus engine.16 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0102 | Wizard Spider | 4 |
| G1011 | EXOTIC LILY | 8 |
References
-
Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020. ↩
-
Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021. ↩↩↩↩↩↩↩↩
-
Sadique, M. and Singh, A. (2020, September 29). Spear Phishing Campaign Delivers Buer and Bazar Malware. Retrieved November 19, 2020. ↩↩↩↩↩↩↩↩↩
-
The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020. ↩↩
-
DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022. ↩
-
Stolyarov, V. (2022, March 17). Exposing initial access broker with ties to Conti. Retrieved August 18, 2022. ↩