Bazar Backdoor

Malware updated 6 months ago (2024-05-04T19:28:39.201Z)
Download STIX
Preview STIX
The Bazar Backdoor is a malicious software (malware) that infiltrates systems through suspicious downloads, emails, or websites. Named after its use of EmerDNS blockchain domains, the Bazar loader and Bazar backdoor are associated with the threat actors behind Trickbot, Anchor malware, and other cyber threats. The Bazar loader provides an initial foothold for the attacker, while the Bazar backdoor ensures persistence in the compromised environment. Several different versions of the Bazar backdoor and its loader have been identified, indicating that the malware is under active development. Historically, the TrickBot Gang has used their infamous TrickBot malware to initiate interactive hacking operations and deploy secondary payloads such as Ryuk and Anchor. However, they shifted to using the Bazar backdoor for launching interactive attacks and deploying Ryuk earlier this year. Since July 2020, their favored ransomware has been Conti, marking a significant change in their operational tactics. In terms of communication, the Bazar backdoor sends a 'group' identifier to the remote server along with the botID and a switch to send data or receive commands. This follows a specific pattern of the botID and numeric command switch. The tag (or gtag) used to identify Trickbot campaigns is removed from C2 URIs in the Bazar backdoor, further distinguishing it from other malware families. The Bazar backdoor can handle multiple commands, retrieving various pieces of additional information on the infected machine, making it a versatile and potent threat.
Description last updated: 2024-05-04T18:06:37.957Z
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Source Document References
Information about the Bazar Backdoor Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
MITRE
2 years ago
MITRE
2 years ago