Bazar Backdoor

The Bazar Backdoor is a malicious software (malware) that infiltrates systems through suspicious downloads, emails, or websites. Named after its use of EmerDNS blockchain domains, the Bazar loader and Bazar backdoor are associated with the threat actors behind Trickbot, Anchor malware, and other cyber threats. The Bazar loader provides an initial foothold for the attacker, while the Bazar backdoor ensures persistence in the compromised environment. Several different versions of the Bazar backdoor and its loader have been identified, indicating that the malware is under active development. Historically, the TrickBot Gang has used their infamous TrickBot malware to initiate interactive hacking operations and deploy secondary payloads such as Ryuk and Anchor. However, they shifted to using the Bazar backdoor for launching interactive attacks and deploying Ryuk earlier this year. Since July 2020, their favored ransomware has been Conti, marking a significant change in their operational tactics. In terms of communication, the Bazar backdoor sends a 'group' identifier to the remote server along with the botID and a switch to send data or receive commands. This follows a specific pattern of the botID and numeric command switch. The tag (or gtag) used to identify Trickbot campaigns is removed from C2 URIs in the Bazar backdoor, further distinguishing it from other malware families. The Bazar backdoor can handle multiple commands, retrieving various pieces of additional information on the infected machine, making it a versatile and potent threat.