Bazar Loader

Bazar Loader is a type of malware that infiltrates systems through phishing emails containing links to Google Drive, where the payload is stored. It's associated with the threat actors behind Trickbot and Anchor malware, as evidenced by our previous research from December 2019. The Bazar loader and its counterpart, the Bazar backdoor, are named after their use of EmerDNS blockchain domains, distinguishing them as part of a family of threats that rely on alternate domain name systems. This malware demonstrates an evolution in the payloads and tools used by the TrickBot Gang, although the initial infection vector has remained consistent. In order to evade detection, the Bazar loader and backdoor employ a different network callback scheme from previously seen Trickbot-related malware. They also show ties to Trickbot and Anchor malware with signed loaders, indicating a level of sophistication in their deployment and operation. Notably, Bazar Loader uses a Domain Generation Algorithm (DGA) implementation and an API-Hammering technique, both of which further enhance its stealth and persistence capabilities. A new version of the Bazar loader emerged in June 2020, demonstrating the ongoing development and adaptation of this threat. Once inside a system, the Bazar loader creates another autorun entry by writing an adobe.lnk shortcut in the Windows Start menu Startup folder. This allows the malware to maintain persistence on the infected machine, making it harder for users or administrators to completely remove the threat. The continuous evolution and adaptation of the Bazar loader underscore the importance of maintaining robust security measures and staying vigilant against such advanced threats.