Bazar Backdoor

Malware Profile Updated 3 months ago

Download STIX

Preview STIX

The Bazar Backdoor is a malicious software (malware) that infiltrates systems through suspicious downloads, emails, or websites. Named after its use of EmerDNS blockchain domains, the Bazar loader and Bazar backdoor are associated with the threat actors behind Trickbot, Anchor malware, and other cyber threats. The Bazar loader provides an initial foothold for the attacker, while the Bazar backdoor ensures persistence in the compromised environment. Several different versions of the Bazar backdoor and its loader have been identified, indicating that the malware is under active development. Historically, the TrickBot Gang has used their infamous TrickBot malware to initiate interactive hacking operations and deploy secondary payloads such as Ryuk and Anchor. However, they shifted to using the Bazar backdoor for launching interactive attacks and deploying Ryuk earlier this year. Since July 2020, their favored ransomware has been Conti, marking a significant change in their operational tactics. In terms of communication, the Bazar backdoor sends a 'group' identifier to the remote server along with the botID and a switch to send data or receive commands. This follows a specific pattern of the botID and numeric command switch. The tag (or gtag) used to identify Trickbot campaigns is removed from C2 URIs in the Bazar backdoor, further distinguishing it from other malware families. The Bazar backdoor can handle multiple commands, retrieving various pieces of additional information on the infected machine, making it a versatile and potent threat.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Team9	1	Team9 is a malware, short for malicious software, that poses significant threats to computer systems and data. The malware's operations start with the Team9 loader, which upon examination shows a XOR key of the infection date in the YYYYMMDD format (ISO 8601). This loader downloads a XOR-encoded pay
Bazar Loader	1	Bazar Loader is a type of malware that infiltrates systems through phishing emails containing links to Google Drive, where the payload is stored. It's associated with the threat actors behind Trickbot and Anchor malware, as evidenced by our previous research from December 2019. The Bazar loader and

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Backdoor

Malware

Loader

Payload

Ransomware

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Bazar	Unspecified	1	"Bazar" is a form of malware, a malicious software designed to exploit and damage computer systems. This harmful program can infiltrate systems via suspicious downloads, emails, or websites, often unbeknownst to the user. Once it gains access, it can steal personal information, disrupt operations, o
TrickBot	Unspecified	1	TrickBot is a notorious form of malware that infiltrates systems to exploit and damage them, often through suspicious downloads, emails, or websites. Once it has breached a system, TrickBot can steal personal information, disrupt operations, and even hold data hostage for ransom. It has been linked
Anchor	Unspecified	1	Anchor is a type of malware, short for malicious software, that infiltrates systems to exploit and cause damage. It can access systems through various methods such as suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can disrupt operations, steal personal info
Conti	Unspecified	1	Conti is a type of malware, specifically ransomware, known for its ability to disrupt operations, steal personal information, and hold data hostage for ransom. The malicious software infiltrates systems via suspicious downloads, emails, or websites, often unbeknownst to the user. It has been used in
Ryuk	Unspecified	1	Ryuk is a sophisticated malware, specifically a ransomware variant, that has been extensively used by cybercriminal group ITG23. The group has been employing crypting techniques for several years to obfuscate their malware, with Ryuk often seen in tandem with other malicious software such as Trickbo

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Source Document References

Information about the Bazar Backdoor Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
MITRE	a year ago	Cybereason vs. Conti Ransomware
MITRE	a year ago	A Bazar of Tricks: Following Team9’s Development Cycles