Team9

Team9 is a malware, short for malicious software, that poses significant threats to computer systems and data. The malware's operations start with the Team9 loader, which upon examination shows a XOR key of the infection date in the YYYYMMDD format (ISO 8601). This loader downloads a XOR-encoded payload from a remote server, decodes it, and injects the payload into a target process using advanced techniques such as process hollowing or process doppelgänging. A development version of this loader, labeled as 'team9 loader', was discovered and analyzed, revealing these insights. Following the initial loading phase, the Bazar loader takes over, downloading its payload, the Bazar backdoor. This backdoor is decrypted using the same method as the Team9 variant. For clarity in analysis and discussion, the term "Team9" is used to refer to the development versions of the malware, while "Bazar" refers to the operational versions. An early development version of the malware, namely the Team9 backdoor, was also examined providing further understanding of the malware's evolution and operation. The operators behind Team9, known by various names including "WIZARD SPIDER," "UNC1878," and "Team9," use a range of malware tools including TrickBot, Anchor, Bazar, Ryuk, and others. Their tactics, techniques, and procedures (TTPs) are crucial to understand, especially those employed before any data encryption occurs. More than just examining the Ryuk ransomware itself, it is essential to study the operators and their TTPs to fully comprehend the threat landscape posed by Team9.