Bazar Backdoor

Malware Profile Updated 24 days ago
Download STIX
Preview STIX
The Bazar Backdoor is a malicious software (malware) that infiltrates systems through suspicious downloads, emails, or websites. Named after its use of EmerDNS blockchain domains, the Bazar loader and Bazar backdoor are associated with the threat actors behind Trickbot, Anchor malware, and other cyber threats. The Bazar loader provides an initial foothold for the attacker, while the Bazar backdoor ensures persistence in the compromised environment. Several different versions of the Bazar backdoor and its loader have been identified, indicating that the malware is under active development. Historically, the TrickBot Gang has used their infamous TrickBot malware to initiate interactive hacking operations and deploy secondary payloads such as Ryuk and Anchor. However, they shifted to using the Bazar backdoor for launching interactive attacks and deploying Ryuk earlier this year. Since July 2020, their favored ransomware has been Conti, marking a significant change in their operational tactics. In terms of communication, the Bazar backdoor sends a 'group' identifier to the remote server along with the botID and a switch to send data or receive commands. This follows a specific pattern of the botID and numeric command switch. The tag (or gtag) used to identify Trickbot campaigns is removed from C2 URIs in the Bazar backdoor, further distinguishing it from other malware families. The Bazar backdoor can handle multiple commands, retrieving various pieces of additional information on the infected machine, making it a versatile and potent threat.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Bazar Backdoor Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Cybereason vs. Conti Ransomware
MITRE
a year ago
A Bazar of Tricks: Following Team9’s Development Cycles