Bazar Loader

Malware Profile Updated 3 months ago

Download STIX

Preview STIX

Bazar Loader is a type of malware that infiltrates systems through phishing emails containing links to Google Drive, where the payload is stored. It's associated with the threat actors behind Trickbot and Anchor malware, as evidenced by our previous research from December 2019. The Bazar loader and its counterpart, the Bazar backdoor, are named after their use of EmerDNS blockchain domains, distinguishing them as part of a family of threats that rely on alternate domain name systems. This malware demonstrates an evolution in the payloads and tools used by the TrickBot Gang, although the initial infection vector has remained consistent. In order to evade detection, the Bazar loader and backdoor employ a different network callback scheme from previously seen Trickbot-related malware. They also show ties to Trickbot and Anchor malware with signed loaders, indicating a level of sophistication in their deployment and operation. Notably, Bazar Loader uses a Domain Generation Algorithm (DGA) implementation and an API-Hammering technique, both of which further enhance its stealth and persistence capabilities. A new version of the Bazar loader emerged in June 2020, demonstrating the ongoing development and adaptation of this threat. Once inside a system, the Bazar loader creates another autorun entry by writing an adobe.lnk shortcut in the Windows Start menu Startup folder. This allows the malware to maintain persistence on the infected machine, making it harder for users or administrators to completely remove the threat. The continuous evolution and adaptation of the Bazar loader underscore the importance of maintaining robust security measures and staying vigilant against such advanced threats.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Team9	1	Team9 is a malware, short for malicious software, that poses significant threats to computer systems and data. The malware's operations start with the Team9 loader, which upon examination shows a XOR key of the infection date in the YYYYMMDD format (ISO 8601). This loader downloads a XOR-encoded pay
Bazar Backdoor	1	The Bazar Backdoor is a malicious software (malware) that infiltrates systems through suspicious downloads, emails, or websites. Named after its use of EmerDNS blockchain domains, the Bazar loader and Bazar backdoor are associated with the threat actors behind Trickbot, Anchor malware, and other cyb
Team9 Loader	1	The Team9 loader is a type of malware that infiltrates systems, often without the user's knowledge, through suspicious downloads, emails, or websites. The initial examination focused on the early variant of the Team9 loader, which used specific domains such as bestgame[.]bazar and forgame[.]bazar to

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Backdoor

Downloader

Loader

Malware

Bot

Evasive

Decoy

Payload

Windows

Phishing

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Bazar	Unspecified	1	"Bazar" is a form of malware, a malicious software designed to exploit and damage computer systems. This harmful program can infiltrate systems via suspicious downloads, emails, or websites, often unbeknownst to the user. Once it gains access, it can steal personal information, disrupt operations, o
Anchor	Unspecified	1	Anchor is a type of malware, short for malicious software, that infiltrates systems to exploit and cause damage. It can access systems through various methods such as suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can disrupt operations, steal personal info
Trickbot-Anchor	Unspecified	1	None
TrickBot	Unspecified	1	TrickBot is a notorious form of malware that infiltrates systems to exploit and damage them, often through suspicious downloads, emails, or websites. Once it has breached a system, TrickBot can steal personal information, disrupt operations, and even hold data hostage for ransom. It has been linked

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Source Document References

Information about the Bazar Loader Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
CERT-EU	10 months ago	CVE 2020-1472 Archives - i-secure Co, Ltd.
MITRE	a year ago	Cybereason vs. Conti Ransomware
MITRE	a year ago	A Bazar of Tricks: Following Team9’s Development Cycles