Bazar

Malware Profile Updated 3 months ago

Download STIX

Preview STIX

"Bazar" is a form of malware, a malicious software designed to exploit and damage computer systems. This harmful program can infiltrate systems via suspicious downloads, emails, or websites, often unbeknownst to the user. Once it gains access, it can steal personal information, disrupt operations, or even hold data hostage for ransom. Bazar has different components known by the cybersecurity community as BazaLoader, BazarLoader, and BazarBackdoor. It disguises itself using a DLL that appears as a jpg file and utilizes HTTPS C2 throughout the intrusion process. The typical child processes associated with Bazar include cmd.exe, svchost.exe, explorer.exe, nltest.exe, and net.exe. Bazar has been linked to ransomware attacks, with cybercriminals increasingly deploying it in campaigns. An example of this is the Conti attack diagram, which illustrates the progression from Bazar to ransomware. These campaigns represent a new technique for cybercriminals to infect and monetize networks. One notable instance of this was the deployment of the Ryuk ransomware. The malware's operational versions are referred to as "Bazar," while its development versions are named "Team9." The threat posed by Bazar is on the rise, with partial automation enabling the scaling of cybercrime. This tactic has already been seen in Bazar campaigns, illustrating that it's not an innovation but rather a tried-and-true technique. Defenders are already grappling with this issue, as evidenced by the detection opportunity involving the enumeration of domain trusts activity with nltest.exe, which is associated with reconnaissance commands linked to Bazar. Despite these defensive efforts, the malware continues to pose a significant challenge to cybersecurity.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Team9	1	Team9 is a malware, short for malicious software, that poses significant threats to computer systems and data. The malware's operations start with the Team9 loader, which upon examination shows a XOR key of the infection date in the YYYYMMDD format (ISO 8601). This loader downloads a XOR-encoded pay
Bazarloader	1	BazarLoader is a form of malware that has been utilized extensively by ITG23, a cybercriminal group. This harmful software infiltrates systems via suspicious downloads, emails, or websites, potentially stealing personal information, disrupting operations, or holding data for ransom. ITG23 has used B
Bazarbackdoor	1	BazarBackdoor is a type of malware developed by ITG23, first identified in April 2020. It is commonly distributed via contact forms on corporate websites, bypassing regular phishing emails, which makes it harder to detect. The malware is often associated with BazarLoader, both of which were used ext

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Malware

Cobalt Strike

Loader

Phishing

Botnet

Evasive

Windows

Cybereason

Bot

Payload

Decoy

Reconnaissance

Cybercrime

Encrypt

Downloader

Backdoor

Police

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Anchor	Unspecified	2	Anchor is a type of malware, short for malicious software, that infiltrates systems to exploit and cause damage. It can access systems through various methods such as suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can disrupt operations, steal personal info
Get2	Unspecified	1	Get2 is a type of malware, harmful software designed to infiltrate and damage computer systems or devices. It can be unknowingly downloaded through suspicious emails, downloads, or websites, enabling it to steal personal information, disrupt operations, or hold data hostage for ransom. Among the mos
QakBot	Unspecified	1	Qakbot is a potent malware, a malicious software designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it has the potential to steal personal information, disrupt operations, or e
Dridex	Unspecified	1	Dridex is a well-known malware, specifically a banking Trojan, that has been utilized by cybercriminals to exploit and damage computer systems. The malware infiltrates systems through dubious downloads, emails, or websites, often unbeknownst to the user, and can steal personal information, disrupt o
TrickBot	Unspecified	1	TrickBot is a notorious form of malware that infiltrates systems to exploit and damage them, often through suspicious downloads, emails, or websites. Once it has breached a system, TrickBot can steal personal information, disrupt operations, and even hold data hostage for ransom. It has been linked
Ryuk	Unspecified	1	Ryuk is a sophisticated malware, specifically a ransomware variant, that has been extensively used by cybercriminal group ITG23. The group has been employing crypting techniques for several years to obfuscate their malware, with Ryuk often seen in tandem with other malicious software such as Trickbo
Trickbot-Anchor	Unspecified	1	None
Conti	Unspecified	1	Conti is a type of malware, specifically ransomware, known for its ability to disrupt operations, steal personal information, and hold data hostage for ransom. The malicious software infiltrates systems via suspicious downloads, emails, or websites, often unbeknownst to the user. It has been used in
IcedID	Unspecified	1	IcedID is a malicious software (malware) designed to exploit and damage computer systems. It infects systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom
Bazar Loader	Unspecified	1	Bazar Loader is a type of malware that infiltrates systems through phishing emails containing links to Google Drive, where the payload is stored. It's associated with the threat actors behind Trickbot and Anchor malware, as evidenced by our previous research from December 2019. The Bazar loader and
Bazar Backdoor	Unspecified	1	The Bazar Backdoor is a malicious software (malware) that infiltrates systems through suspicious downloads, emails, or websites. Named after its use of EmerDNS blockchain domains, the Bazar loader and Bazar backdoor are associated with the threat actors behind Trickbot, Anchor malware, and other cyb
Team9 Loader	Unspecified	1	The Team9 loader is a type of malware that infiltrates systems, often without the user's knowledge, through suspicious downloads, emails, or websites. The initial examination focused on the early variant of the Team9 loader, which used specific domains such as bestgame[.]bazar and forgame[.]bazar to
Team9 Backdoor	Unspecified	1	Team9 backdoor is a malicious software designed to exploit and damage computer systems. It infiltrates the system through suspicious downloads, emails, or websites, often without the user's knowledge, and can steal personal information, disrupt operations, or hold data hostage for ransom. The malwar
svchost.exe	Unspecified	1	Svchost.exe is a malware that exploits and damages computer systems by injecting malicious code into various processes. This harmful program can infiltrate your system through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, di

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Bazarloader/bazarbackdoor	Unspecified	1	None

Source Document References

Information about the Bazar Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
MITRE	7 months ago	Trickbot Rising — Gang Doubles Down on Infection Efforts to Amass Network Footholds
CERT-EU	10 months ago	Refugees and Displaced Persons \| Council on Foreign Relations
CERT-EU	a year ago	‘Rohingya Of The Arakan: Conflict, Crisis And Solutions’ – Book Review
DARKReading	a year ago	Are AI-Engineered Threats FUD or Reality?
CERT-EU	a year ago	IIT-Kharagpur to develop tamper-proof signalling system for railways
CERT-EU	a year ago	L'iPhone 14 Pro met le souk au grand bazar d'Istanbul
MITRE	a year ago	CONTInuing the Bazar Ransomware Story
MITRE	a year ago	Ransomware Activity Targeting the Healthcare and Public Health Sector \| CISA
MITRE	a year ago	Cybereason vs. Conti Ransomware
MITRE	a year ago	A Bazar of Tricks: Following Team9’s Development Cycles
MITRE	a year ago	In-depth analysis of the new Team9 malware family
MITRE	a year ago	A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak
Secureworks	a year ago	Phases of a Post-Intrusion Ransomware Attack
Krypos Logic	a year ago	TrickBot masrv Module
CERT-EU	a year ago	From social media to ChatGPT, cyber criminals quick to adopt new tech \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker – National Cyber Security Consulting
CERT-EU	a year ago	Cybersécurité : pourquoi l’argent ne fait pas tout
CERT-EU	a year ago	L'OSINT révolutionne le renseignement américain
CERT-EU	a year ago	Sarthebari police held two for cybercrime in Barpeta district \| #cybercrime \| #infosec – National Cyber Security Consulting