Bazarloader

Malware updated 4 days ago (2024-11-29T14:42:50.599Z)
Download STIX
Preview STIX
BazarLoader is a type of malware developed by the TrickBot group, primarily used to gain initial access to a victim's infrastructure in ransomware attacks. This malware has been associated with various threat groups, including ITG23, which has used BazarLoader alongside other malware like Trickbot and Conti. It has also been observed with payloads within Emotet, IcedID, Conti, and Cobalt Strike. The malware was distributed using an exploit in the AppX Installer, where malicious packages hosted on Microsoft Azure were used to infect systems. In the evolving landscape of cyber threats, BazarLoader has been replaced by another malware called Bumblebee in many ransomware campaigns. Despite this, BazarLoader remains a significant threat due to its association with ransomware attacks. Deliveries of BazarLoader and Trickbot are often precursors to such attacks, including those involving Conti ransomware. Since June 2021, there has been an increase in Trickbot and BazarLoader deliveries, leading to a corresponding rise in Conti ransomware attacks during the summer. ITG23 has adapted to the changing ransomware economy by creating the Conti ransomware-as-a-service (RaaS) and using BazarLoader and Trickbot payloads to establish a foothold for ransomware attacks. Security analysts from X-Force and Cylera have reported observing multiple additional campaigns delivering Trickbot and, to a lesser extent, BazarLoader on a weekly basis. Therefore, it is crucial for organizations to remain vigilant and proactive in their cybersecurity measures to defend against these persistent threats.
Description last updated: 2024-10-22T17:42:15.949Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
IcedID is a possible alias for Bazarloader. IcedID is a malicious software (malware) that has been implicated in numerous cybercrime campaigns. It has been associated with other notable malware such as Qakbot, BazarLoader, CobaltStrike, Conti, Gozi, Trickbot, Quantum, Emotet, Pikabot, and SystemBC. Its distribution often involves the use of d
3
Bazarbackdoor is a possible alias for Bazarloader. BazarBackdoor is a type of malware developed by ITG23, first identified in April 2020. It is commonly distributed via contact forms on corporate websites, bypassing regular phishing emails, which makes it harder to detect. The malware is often associated with BazarLoader, both of which were used ext
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Malware
Exploit
Backdoor
Cobalt Strike
Payload
Extortion
Vulnerability
Loader
RaaS
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The TrickBot Malware is associated with Bazarloader. TrickBot is a notorious malware developed by cybercriminals to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. This malicious software can steal personal information, disrupt operations, or even hold data hostage for ransom. Vladimir Dunaev,Unspecified
6
The Conti Malware is associated with Bazarloader. Conti is a type of malware, specifically ransomware, which is designed to infiltrate and damage computer systems. This malicious software can enter systems through various methods such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personaUnspecified
4
The Emotet Malware is associated with Bazarloader. Emotet is a notorious malware, short for malicious software, that is designed to exploit and damage computers or devices. It can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user, with the potential to steal personal information, disrupt operations, Unspecified
4
The Bumblebee Malware is associated with Bazarloader. Bumblebee is a type of malware that has been linked to ITG23, a cyber threat group. Over the past year, it has been used in conjunction with other initial access malwares such as Emotet, IcedID, Qakbot, and Gozi during ITG23 attacks. The same values for self-signed certificates seen in Bumblebee havUnspecified
4
The Diavol Malware is associated with Bazarloader. Diavol is a type of malware, specifically ransomware, that infiltrates systems to exploit and cause damage. It can infect systems through various channels such as suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, Diavol can steal personal information, disrupt opeUnspecified
3
The QakBot Malware is associated with Bazarloader. Qakbot is a type of malware, or malicious software, that infiltrates computer systems to exploit and damage them. This harmful program can infect devices through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt opeUnspecified
2
The Ryuk Malware is associated with Bazarloader. Ryuk is a type of malware known as ransomware, which has been utilized by the threat group ITG23 for several years. This group has been notorious for crypting their malware, with crypters seen in use with other malware such as Trickbot, Emotet, Cobalt Strike, and Ryuk. In 2019, most ransomware invesUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The ITG23 Threat Actor is associated with Bazarloader. ITG23, also known as the Trickbot/Conti syndicate, is a significant threat actor that has been active since 2016 in the East European cybercrime arena. This group is renowned for its use of Reflective DLL Injection code in many of its crypters, with the presence of these crypters on a file sample beUnspecified
2
Source Document References
Information about the Bazarloader Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
InfoSecurity-magazine
a month ago
Securityaffairs
a month ago
CERT-EU
a year ago
MITRE
a year ago
SecurityIntelligence.com
a year ago
CERT-EU
a year ago
BankInfoSecurity
a year ago
Flashpoint
a year ago
MITRE
2 years ago
BankInfoSecurity
2 years ago
MITRE
2 years ago
MITRE
2 years ago
MITRE
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
MITRE
2 years ago
MITRE
2 years ago
CERT-EU
2 years ago
CERT-EU
a year ago
SecurityIntelligence.com
a year ago