Bazarbackdoor

Malware updated 7 months ago (2024-05-04T19:19:47.280Z)
Download STIX
Preview STIX
BazarBackdoor is a type of malware developed by ITG23, first identified in April 2020. It is commonly distributed via contact forms on corporate websites, bypassing regular phishing emails, which makes it harder to detect. The malware is often associated with BazarLoader, both of which were used extensively by actors linked to the TrickBot network to infiltrate victim systems starting from early 2020. In February 2022, the Conti ransomware group took over the TrickBot operation and planned to replace it with BazarBackdoor. This transition came after several unsuccessful takedown attempts by the U.S. government. The Conti group enhanced the development of more advanced and stealthy malware such as BazarBackdoor and Anchor, with BazarBackdoor being employed for initial access to networks due to increased detection of TrickBot by anti-malware solutions. Before its dissolution in mid-2022, the Conti group launched a new subgroup called Karakurt. This subgroup focused on data extortion rather than crypto-locking files. It used the BazarLoader dropper to infect systems, install BazarBackdoor, and provide remote access to these systems to Karakurt. This allowed them to steal data and extort victims. The core team of TrickBot developers had created BazarBackdoor, a stealthier malware, to gain remote access into corporate networks and deploy ransomware.
Description last updated: 2024-05-04T16:48:49.805Z
What's your take? (Question 1 of 4)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Bazarloader is a possible alias for Bazarbackdoor. BazarLoader is a type of malware developed by the TrickBot group, primarily used to gain initial access to a victim's infrastructure in ransomware attacks. This malware has been associated with various threat groups, including ITG23, which has used BazarLoader alongside other malware like Trickbot a
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Ransomware
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The TrickBot Malware is associated with Bazarbackdoor. TrickBot is a notorious malware developed by cybercriminals to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. This malicious software can steal personal information, disrupt operations, or even hold data hostage for ransom. Vladimir Dunaev,Unspecified
3
The Conti Malware is associated with Bazarbackdoor. Conti is a type of malware, specifically ransomware, that infiltrates systems to exploit and damage them. Often spreading through suspicious downloads, emails, or websites, it can steal personal information, disrupt operations, or hold data hostage for ransom. Notably, Conti was linked to several raUnspecified
3
Source Document References
Information about the Bazarbackdoor Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
MITRE
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
2 years ago
BankInfoSecurity
2 years ago
MITRE
2 years ago
Securityaffairs
2 years ago
MITRE
2 years ago
CERT-EU
2 years ago
MITRE
2 years ago