Skip to content

S0534 Bazar

Bazar is a downloader and backdoor that has been used since at least April 2020, with infections primarily against professional services, healthcare, manufacturing, IT, logistics and travel companies across the US and Europe. Bazar reportedly has ties to TrickBot campaigns and can be used to deploy additional malware, including ransomware, and to steal sensitive data.1

Item Value
ID S0534
Associated Names KEGTAP, Team9
Version 1.2
Created 18 November 2020
Last Modified 29 September 2022
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
Team9 13

Techniques Used

Domain ID Name Use
enterprise T1087 Account Discovery -
enterprise T1087.001 Local Account Bazar can identify administrator accounts on an infected host.3
enterprise T1087.002 Domain Account Bazar has the ability to identify domain administrator accounts.36
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Bazar can use HTTP and HTTPS over ports 80 and 443 in C2 communications.137
enterprise T1197 BITS Jobs Bazar has been downloaded via Windows BITS functionality.3
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Bazar can create or add files to Registry Run Keys to establish persistence.13
enterprise T1547.004 Winlogon Helper DLL Bazar can use Winlogon Helper DLL to establish persistence.5
enterprise T1547.009 Shortcut Modification Bazar can establish persistence by writing shortcuts to the Windows Startup folder.13
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell Bazar can execute a PowerShell script received from C2.34
enterprise T1059.003 Windows Command Shell Bazar can launch cmd.exe to perform reconnaissance commands.15
enterprise T1005 Data from Local System Bazar can retrieve information from the infected machine.1
enterprise T1140 Deobfuscate/Decode Files or Information Bazar can decrypt downloaded payloads. Bazar also resolves strings and other artifacts at runtime.13
enterprise T1482 Domain Trust Discovery Bazar can use Nltest tools to obtain information about the domain.13
enterprise T1568 Dynamic Resolution -
enterprise T1568.002 Domain Generation Algorithms Bazar can implement DGA using the current date as a seed variable.1
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography Bazar can send C2 communications with XOR encryption.3
enterprise T1573.002 Asymmetric Cryptography Bazar can use TLS in C2 communications.5
enterprise T1008 Fallback Channels Bazar has the ability to use an alternative C2 server if the primary server fails.3
enterprise T1083 File and Directory Discovery Bazar can enumerate the victim’s desktop.13
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools Bazar has manually loaded ntdll from disk in order to identity and remove API hooks set by security products.3
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion Bazar can delete its loader using a batch file in the Windows temporary folder.3
enterprise T1070.009 Clear Persistence Bazar‘s loader can delete scheduled tasks created by a previous instance of the malware.3
enterprise T1105 Ingress Tool Transfer Bazar can download and deploy additional payloads, including ransomware and post-exploitation frameworks such as Cobalt Strike.1534
enterprise T1036 Masquerading -
enterprise T1036.004 Masquerade Task or Service Bazar can create a task named to appear benign.1
enterprise T1036.005 Match Legitimate Name or Location The Bazar loader has named malicious shortcuts “adobe” and mimicked communications software.134
enterprise T1036.007 Double File Extension The Bazar loader has used dual-extension executable files such as PreviewReport.DOC.exe.1
enterprise T1104 Multi-Stage Channels The Bazar loader is used to download and execute the Bazar backdoor.15
enterprise T1106 Native API Bazar can use various APIs to allocate memory and facilitate code execution/injection.1
enterprise T1135 Network Share Discovery Bazar can enumerate shared drives on the domain.3
enterprise T1027 Obfuscated Files or Information Bazar has used XOR, RSA2, and RC4 encrypted files.134
enterprise T1027.002 Software Packing Bazar has a variant with a packed payload.15
enterprise T1027.007 Dynamic API Resolution Bazar can hash then resolve API calls at runtime.13
enterprise T1566 Phishing -
enterprise T1566.002 Spearphishing Link Bazar has been spread via emails with embedded malicious links.154
enterprise T1057 Process Discovery Bazar can identity the current process on a compromised host.1
enterprise T1055 Process Injection Bazar can inject code through calling VirtualAllocExNuma.1
enterprise T1055.012 Process Hollowing Bazar can inject into a target process including Svchost, Explorer, and cmd using process hollowing.13
enterprise T1055.013 Process Doppelgänging Bazar can inject into a target process using process doppelgänging.13
enterprise T1012 Query Registry Bazar can query Windows\CurrentVersion\Uninstall for installed applications.13
enterprise T1018 Remote System Discovery Bazar can enumerate remote systems using Net View.1
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task Bazar can create a scheduled task for persistence.13
enterprise T1518 Software Discovery Bazar can query the Registry for installed applications.1
enterprise T1518.001 Security Software Discovery Bazar can identify the installed antivirus engine.1
enterprise T1553 Subvert Trust Controls -
enterprise T1553.002 Code Signing Bazar has been signed with fake certificates including those appearing to be from VB CORPORATE PTY. LTD.1
enterprise T1082 System Information Discovery Bazar can fingerprint architecture, computer name, and OS version on the compromised host. Bazar can also check if the Russian language is installed on the infected machine and terminate if it is found.13
enterprise T1614 System Location Discovery -
enterprise T1614.001 System Language Discovery Bazar can perform a check to ensure that the operating system’s keyboard and language settings are not set to Russian.3
enterprise T1016 System Network Configuration Discovery Bazar can collect the IP address and NetBIOS name of an infected machine.1
enterprise T1033 System Owner/User Discovery Bazar can identify the username of the infected user.3
enterprise T1124 System Time Discovery Bazar can collect the time on the compromised host.13
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link Bazar can gain execution after a user clicks on a malicious link to decoy landing pages hosted on Google Docs.154
enterprise T1497 Virtualization/Sandbox Evasion Bazar can attempt to overload sandbox analysis by sending 1550 calls to printf.1
enterprise T1497.003 Time Based Evasion Bazar can use a timer to delay execution of core functionality.3
enterprise T1102 Web Service Bazar downloads have been hosted on Google Docs.15
enterprise T1047 Windows Management Instrumentation Bazar can execute a WMI query to gather information about the installed antivirus engine.16

Groups That Use This Software

ID Name References
G0102 Wizard Spider 4