Bazar Loader

Malware Profile Updated 24 days ago
Download STIX
Preview STIX
Bazar Loader is a type of malware that infiltrates systems through phishing emails containing links to Google Drive, where the payload is stored. It's associated with the threat actors behind Trickbot and Anchor malware, as evidenced by our previous research from December 2019. The Bazar loader and its counterpart, the Bazar backdoor, are named after their use of EmerDNS blockchain domains, distinguishing them as part of a family of threats that rely on alternate domain name systems. This malware demonstrates an evolution in the payloads and tools used by the TrickBot Gang, although the initial infection vector has remained consistent. In order to evade detection, the Bazar loader and backdoor employ a different network callback scheme from previously seen Trickbot-related malware. They also show ties to Trickbot and Anchor malware with signed loaders, indicating a level of sophistication in their deployment and operation. Notably, Bazar Loader uses a Domain Generation Algorithm (DGA) implementation and an API-Hammering technique, both of which further enhance its stealth and persistence capabilities. A new version of the Bazar loader emerged in June 2020, demonstrating the ongoing development and adaptation of this threat. Once inside a system, the Bazar loader creates another autorun entry by writing an adobe.lnk shortcut in the Windows Start menu Startup folder. This allows the malware to maintain persistence on the infected machine, making it harder for users or administrators to completely remove the threat. The continuous evolution and adaptation of the Bazar loader underscore the importance of maintaining robust security measures and staying vigilant against such advanced threats.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Bazar Loader Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Cybereason vs. Conti Ransomware
MITRE
a year ago
A Bazar of Tricks: Following Team9’s Development Cycles
CERT-EU
8 months ago
CVE 2020-1472 Archives - i-secure Co, Ltd.