Bazarloader

Malware Profile Updated 25 days ago
Download STIX
Preview STIX
BazarLoader is a form of malware that has been utilized extensively by ITG23, a cybercriminal group. This harmful software infiltrates systems via suspicious downloads, emails, or websites, potentially stealing personal information, disrupting operations, or holding data for ransom. ITG23 has used BazarLoader in conjunction with other malware types such as Trickbot and Conti, crypting these malicious programs to exploit systems further. Other groups such as IcedID and Emotet have also been observed using these crypters. The malware has been associated with payloads within Emotet, Trickbot, IcedID, Conti, and Cobalt Strike, demonstrating its wide-ranging application. The distribution of BazarLoader has been facilitated through various vulnerabilities and platforms. For instance, the AppX Installer spoofing vulnerability was exploited to distribute BazarLoader using malicious packages hosted on Microsoft Azure. The malware was delivered via URLs ending in *.web.core.windows.net. Additionally, BazarLoader and Trickbot deliveries were often followed by ransomware attacks, including those involving Conti. In fact, an increase in Trickbot and BazarLoader deliveries since June 2021 corresponded to a surge in Conti ransomware attacks during the summer. ITG23 has adapted to the ransomware economy by creating the Conti ransomware-as-a-service (RaaS) and using its BazarLoader and Trickbot payloads to establish a foothold for ransomware attacks. BazarLoader samples have been observed downloading Trickbot, suggesting that access achieved through these campaigns could be used to initiate a ransomware attack. In certain instances, clicking on a link downloads a ZIP archive containing a malicious JScript downloader. This script contacts a URL on newly created domains to download BazarLoader, which subsequently downloads Cobalt Strike and a PowerShell script to exploit the PrintNightmare vulnerability.
What's your take? (Question 1 of 5)
68f3b76a-c373-4696-ad40-1a57cf20c083 Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
IcedID
3
IcedID is a type of malware that was first discovered in 2017 and has been described as a banking Trojan and remote access Trojan. It can infect systems through suspicious downloads, emails, or websites, often without the user's knowledge, and once inside, it can steal personal information, disrupt
Bazarbackdoor
2
BazarBackdoor is a type of malware developed by ITG23, first identified in April 2020. It is commonly distributed via contact forms on corporate websites, bypassing regular phishing emails, which makes it harder to detect. The malware is often associated with BazarLoader, both of which were used ext
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Malware
Exploit
Cobalt Strike
Payload
Extortion
Backdoor
Loader
RaaS
Vulnerability
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
TrickBotUnspecified
4
TrickBot is a notorious malware that has gained prominence due to its destructive capabilities. This malicious software, designed to exploit and damage computer systems, infiltrates devices through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, TrickBot c
ContiUnspecified
4
Conti is a type of malware, specifically ransomware, that infiltrates systems to exploit and damage them, often stealing personal information or disrupting operations. This malicious software has been used in conjunction with other forms of malware such as Trickbot, BazarLoader, IcedID, and Cobalt S
EmotetUnspecified
4
Emotet is a notorious malware that has been active for over a decade, known for its ability to infiltrate and manipulate email accounts. It tricks individuals into downloading infected files or clicking on malicious links, thus spreading its influence. It was a major player in the malware delivery b
BumblebeeUnspecified
3
Bumblebee is a malicious software (malware) that was first identified in March 2022 and has been utilized by various cybercriminal groups as an initial access loader to deliver different payloads, including infostealers, banking Trojans, and post-compromise tools. The malware infects systems through
DiavolUnspecified
3
Diavol is a type of malware, specifically ransomware, that infiltrates systems to exploit and cause damage. It can infect systems through various channels such as suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, Diavol can steal personal information, disrupt ope
RyukUnspecified
2
Ryuk is a type of malware, specifically ransomware, that has been used extensively by the group ITG23. The group has been encrypting their malware for several years, using crypters with malware such as Trickbot, Emotet, Cobalt Strike, and Ryuk. In 2019, most ransomware investigations were linked to
QakBotUnspecified
2
Qakbot, also known as QBot, is a versatile and malicious software that can perform various harmful actions such as brute-forcing, web injects, and loading other malware. It is used to steal credentials and gather sensitive information. The malware is built by different groups including IcedID, Emote
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
ITG23Unspecified
2
ITG23, also known as the Trickbot/Conti syndicate, is a significant threat actor that has been active since 2016 in the East European cybercrime arena. This group is renowned for its use of Reflective DLL Injection code in many of its crypters, with the presence of these crypters on a file sample be
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Bazarloader Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
SecurityIntelligence.com
6 months ago
ITG23 Crypters Highlight Cooperation Between Cybercriminal Groups
MITRE
6 months ago
Trickbot Rising — Gang Doubles Down on Infection Efforts to Amass Network Footholds
SecurityIntelligence.com
a year ago
The Trickbot/Conti Crypters: Where Are They Now?
MITRE
a year ago
Exposing initial access broker with ties to Conti
MITRE
a year ago
Wizard Spider Modifies and Expands Toolset [Adversary Update]
MITRE
a year ago
Diavol Ransomware
MITRE
a year ago
CONTInuing the Bazar Ransomware Story
MITRE
a year ago
Ransomware Activity Targeting the Healthcare and Public Health Sector | CISA
CERT-EU
5 months ago
Microsoft disables MSIX protocol handler abused in malware attacks
MITRE
a year ago
SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot
BankInfoSecurity
9 months ago
Cybercrime Tremors: Experts Forecast Qakbot Resurgence
MITRE
a year ago
Bumblebee: New Loader Rapidly Assuming Central Position in Cyber-crime Ecosystem
CERT-EU
a year ago
Analysis of Ransomware Attack Timelines | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware – National Cyber Security Consulting
MITRE
a year ago
A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak
CERT-EU
8 months ago
Bumblebee Malware Abuses WebDAV Protocol to Attack Organizations
CERT-EU
a year ago
UK cracks down on ransomware actors | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware - National Cyber Security
BankInfoSecurity
a year ago
Stung by Free Decryptor, Ransomware Group Embraces Extortion
Flashpoint
9 months ago
Qakbot Takedown: A Brief Victory in the Fight Against Resilient Malware
MITRE
a year ago
Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser | Mandiant
CERT-EU
a year ago
New strain of JavaScript dropper delivers Bumblebee and IcedID malware