Bazaloader

Malware updated a month ago (2024-10-22T22:00:57.560Z)
Download STIX
Preview STIX
BazaLoader is a type of malware, malicious software designed to exploit and damage computers or devices. It was typically distributed through email campaigns by threat actors such as TA578, who also used it to deliver other types of malware including Ursnif and IcedID. BazaLoader was last observed in Proofpoint data in February 2022, after which several threat actors transitioned to using a new malware loader called Bumblebee. This transition was noted by Google's Threat Analysis Group (TAG) in March 2022. Bumblebee has been active since March 2022, replacing BazaLoader and IcedID in the arsenals of multiple crimeware threat actors. The malware has been used in various campaigns, including those targeting Facebook users, and facilitating infection chains for LockBit ransomware and BazaLoader malware. Interestingly, BazaLoader's connection to these operations is subtler, with the group also observed using leaked Conti code, prompting further analysis and confirmation of Conti connections, as well as TrickBot and BazaLoader. In an attempt to curb the spread of such malware, steps were taken in February 2022 to prevent threat actors from delivering Emotet, TrickBot, and Bazaloader using certain vectors. Despite this, some groups have continued their malicious activities, employing tactics like the BazaCall phishing campaign, where unsuspecting users are tricked into phoning the attacker and coached into downloading BazaLoader malware. This then retrieves and installs a remote monitoring and management (RMM) tool onto the user’s device.
Description last updated: 2024-10-22T17:41:55.703Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Bumblebee is a possible alias for Bazaloader. Bumblebee is a type of malware that has been linked to ITG23, a cyber threat group. Over the past year, it has been used in conjunction with other initial access malwares such as Emotet, IcedID, Qakbot, and Gozi during ITG23 attacks. The same values for self-signed certificates seen in Bumblebee hav
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Loader
Ransomware
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The IcedID Malware is associated with Bazaloader. IcedID is a malicious software (malware) that has been implicated in numerous cybercrime campaigns. It has been associated with other notable malware such as Qakbot, BazarLoader, CobaltStrike, Conti, Gozi, Trickbot, Quantum, Emotet, Pikabot, and SystemBC. Its distribution often involves the use of dUnspecified
3
The Conti Malware is associated with Bazaloader. Conti is a type of malware, specifically ransomware, that infiltrates systems to exploit and damage them. Often spreading through suspicious downloads, emails, or websites, it can steal personal information, disrupt operations, or hold data hostage for ransom. Notably, Conti was linked to several raUnspecified
2
Source Document References
Information about the Bazaloader Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Securityaffairs
a month ago
CERT-EU
a year ago
Pulsedive
6 months ago
CERT-EU
10 months ago
CERT-EU
a year ago
CERT-EU
2 years ago
CERT-EU
a year ago
InfoSecurity-magazine
a year ago
MITRE
2 years ago
MITRE
2 years ago