Bazarloader

Malware updated a month ago (2024-10-23T05:01:00.259Z)

Download STIX

Preview STIX

BazarLoader is a type of malware developed by the TrickBot group, primarily used to gain initial access to a victim's infrastructure in ransomware attacks. This malware has been associated with various threat groups, including ITG23, which has used BazarLoader alongside other malware like Trickbot and Conti. It has also been observed with payloads within Emotet, IcedID, Conti, and Cobalt Strike. The malware was distributed using an exploit in the AppX Installer, where malicious packages hosted on Microsoft Azure were used to infect systems. In the evolving landscape of cyber threats, BazarLoader has been replaced by another malware called Bumblebee in many ransomware campaigns. Despite this, BazarLoader remains a significant threat due to its association with ransomware attacks. Deliveries of BazarLoader and Trickbot are often precursors to such attacks, including those involving Conti ransomware. Since June 2021, there has been an increase in Trickbot and BazarLoader deliveries, leading to a corresponding rise in Conti ransomware attacks during the summer. ITG23 has adapted to the changing ransomware economy by creating the Conti ransomware-as-a-service (RaaS) and using BazarLoader and Trickbot payloads to establish a foothold for ransomware attacks. Security analysts from X-Force and Cylera have reported observing multiple additional campaigns delivering Trickbot and, to a lesser extent, BazarLoader on a weekly basis. Therefore, it is crucial for organizations to remain vigilant and proactive in their cybersecurity measures to defend against these persistent threats.

Description last updated: 2024-10-22T17:42:15.949Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
IcedID is a possible alias for Bazarloader. IcedID is a malicious software (malware) that has been implicated in numerous cybercrime campaigns. It has been associated with other notable malware such as Qakbot, BazarLoader, CobaltStrike, Conti, Gozi, Trickbot, Quantum, Emotet, Pikabot, and SystemBC. Its distribution often involves the use of d	3
Bazarbackdoor is a possible alias for Bazarloader. BazarBackdoor is a type of malware developed by ITG23, first identified in April 2020. It is commonly distributed via contact forms on corporate websites, bypassing regular phishing emails, which makes it harder to detect. The malware is often associated with BazarLoader, both of which were used ext	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Malware

Exploit

Backdoor

Cobalt Strike

Payload

Extortion

Vulnerability

Loader

RaaS

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The TrickBot Malware is associated with Bazarloader. TrickBot is a notorious malware developed by cybercriminals to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. This malicious software can steal personal information, disrupt operations, or even hold data hostage for ransom. Vladimir Dunaev,	Unspecified	6
The Conti Malware is associated with Bazarloader. Conti is a type of malware, specifically ransomware, that infiltrates systems to exploit and damage them. Often spreading through suspicious downloads, emails, or websites, it can steal personal information, disrupt operations, or hold data hostage for ransom. Notably, Conti was linked to several ra	Unspecified	4
The Emotet Malware is associated with Bazarloader. Emotet is a notorious malware, short for malicious software, that is designed to exploit and damage computers or devices. It can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user, with the potential to steal personal information, disrupt operations,	Unspecified	4
The Bumblebee Malware is associated with Bazarloader. Bumblebee is a type of malware that has been linked to ITG23, a cyber threat group. Over the past year, it has been used in conjunction with other initial access malwares such as Emotet, IcedID, Qakbot, and Gozi during ITG23 attacks. The same values for self-signed certificates seen in Bumblebee hav	Unspecified	4
The Diavol Malware is associated with Bazarloader. Diavol is a type of malware, specifically ransomware, that infiltrates systems to exploit and cause damage. It can infect systems through various channels such as suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, Diavol can steal personal information, disrupt ope	Unspecified	3
The QakBot Malware is associated with Bazarloader. Qakbot is a malicious software (malware) designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user, with the potential to steal personal information, disrupt operations, or hold data for ransom. Built by d	Unspecified	2
The Ryuk Malware is associated with Bazarloader. Ryuk is a type of malware known as ransomware, which has been utilized by the threat group ITG23 for several years. This group has been notorious for crypting their malware, with crypters seen in use with other malware such as Trickbot, Emotet, Cobalt Strike, and Ryuk. In 2019, most ransomware inves	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The ITG23 Threat Actor is associated with Bazarloader. ITG23, also known as the Trickbot/Conti syndicate, is a significant threat actor that has been active since 2016 in the East European cybercrime arena. This group is renowned for its use of Reflective DLL Injection code in many of its crypters, with the presence of these crypters on a file sample be	Unspecified	2

Source Document References

Information about the Bazarloader Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
InfoSecurity-magazine	a month ago	Netskope Reports Possible Bumblebee Loader Resurgence
Securityaffairs	a month ago	Experts warn of a new wave of Bumblebee malware attacks
CERT-EU	a year ago	Microsoft disables MSIX protocol handler abused in malware attacks
MITRE	a year ago	Trickbot Rising — Gang Doubles Down on Infection Efforts to Amass Network Footholds
SecurityIntelligence.com	a year ago	ITG23 Crypters Highlight Cooperation Between Cybercriminal Groups
CERT-EU	a year ago	Bumblebee Malware Abuses WebDAV Protocol to Attack Organizations
BankInfoSecurity	a year ago	Cybercrime Tremors: Experts Forecast Qakbot Resurgence
Flashpoint	a year ago	Qakbot Takedown: A Brief Victory in the Fight Against Resilient Malware
MITRE	2 years ago	Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser \| Mandiant
BankInfoSecurity	2 years ago	Stung by Free Decryptor, Ransomware Group Embraces Extortion
MITRE	2 years ago	Wizard Spider Modifies and Expands Toolset [Adversary Update]
MITRE	2 years ago	Ransomware Activity Targeting the Healthcare and Public Health Sector \| CISA
MITRE	2 years ago	SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot
CERT-EU	2 years ago	Cyber security week in review: April 28, 2023
CERT-EU	2 years ago	Analysis of Ransomware Attack Timelines \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware – National Cyber Security Consulting
MITRE	2 years ago	Bumblebee: New Loader Rapidly Assuming Central Position in Cyber-crime Ecosystem
MITRE	2 years ago	CONTInuing the Bazar Ransomware Story
CERT-EU	2 years ago	UK cracks down on ransomware actors \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware - National Cyber Security
CERT-EU	a year ago	New strain of JavaScript dropper delivers Bumblebee and IcedID malware
SecurityIntelligence.com	a year ago	The Trickbot/Conti Crypters: Where Are They Now?