Team9

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
Team9 is a malware, short for malicious software, that poses significant threats to computer systems and data. The malware's operations start with the Team9 loader, which upon examination shows a XOR key of the infection date in the YYYYMMDD format (ISO 8601). This loader downloads a XOR-encoded payload from a remote server, decodes it, and injects the payload into a target process using advanced techniques such as process hollowing or process doppelgänging. A development version of this loader, labeled as 'team9 loader', was discovered and analyzed, revealing these insights. Following the initial loading phase, the Bazar loader takes over, downloading its payload, the Bazar backdoor. This backdoor is decrypted using the same method as the Team9 variant. For clarity in analysis and discussion, the term "Team9" is used to refer to the development versions of the malware, while "Bazar" refers to the operational versions. An early development version of the malware, namely the Team9 backdoor, was also examined providing further understanding of the malware's evolution and operation. The operators behind Team9, known by various names including "WIZARD SPIDER," "UNC1878," and "Team9," use a range of malware tools including TrickBot, Anchor, Bazar, Ryuk, and others. Their tactics, techniques, and procedures (TTPs) are crucial to understand, especially those employed before any data encryption occurs. More than just examining the Ryuk ransomware itself, it is essential to study the operators and their TTPs to fully comprehend the threat landscape posed by Team9.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Bazar
1
"Bazar" is a form of malware, a malicious software designed to exploit and damage computer systems. This harmful program can infiltrate systems via suspicious downloads, emails, or websites, often unbeknownst to the user. Once it gains access, it can steal personal information, disrupt operations, o
Bazarbackdoor
1
BazarBackdoor is a type of malware developed by ITG23, first identified in April 2020. It is commonly distributed via contact forms on corporate websites, bypassing regular phishing emails, which makes it harder to detect. The malware is often associated with BazarLoader, both of which were used ext
Bazarloader
1
BazarLoader is a form of malware that has been utilized extensively by ITG23, a cybercriminal group. This harmful software infiltrates systems via suspicious downloads, emails, or websites, potentially stealing personal information, disrupting operations, or holding data for ransom. ITG23 has used B
Bazar Loader
1
Bazar Loader is a type of malware that infiltrates systems through phishing emails containing links to Google Drive, where the payload is stored. It's associated with the threat actors behind Trickbot and Anchor malware, as evidenced by our previous research from December 2019. The Bazar loader and
Bazar Backdoor
1
The Bazar Backdoor is a malicious software (malware) that infiltrates systems through suspicious downloads, emails, or websites. Named after its use of EmerDNS blockchain domains, the Bazar loader and Bazar backdoor are associated with the threat actors behind Trickbot, Anchor malware, and other cyb
Team9 Backdoor
1
Team9 backdoor is a malicious software designed to exploit and damage computer systems. It infiltrates the system through suspicious downloads, emails, or websites, often without the user's knowledge, and can steal personal information, disrupt operations, or hold data hostage for ransom. The malwar
Team9 Loader
1
The Team9 loader is a type of malware that infiltrates systems, often without the user's knowledge, through suspicious downloads, emails, or websites. The initial examination focused on the early variant of the Team9 loader, which used specific domains such as bestgame[.]bazar and forgame[.]bazar to
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
Malware
Loader
Windows
Bot
Encrypt
Ransomware
Payload
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
TrickBotUnspecified
1
TrickBot is a notorious form of malware that infiltrates systems to exploit and damage them, often through suspicious downloads, emails, or websites. Once it has breached a system, TrickBot can steal personal information, disrupt operations, and even hold data hostage for ransom. It has been linked
RyukUnspecified
1
Ryuk is a sophisticated malware, specifically a ransomware variant, that has been extensively used by cybercriminal group ITG23. The group has been employing crypting techniques for several years to obfuscate their malware, with Ryuk often seen in tandem with other malicious software such as Trickbo
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Team9 Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
A Bazar of Tricks: Following Team9’s Development Cycles
MITRE
a year ago
A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak
MITRE
a year ago
Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser | Mandiant
MITRE
a year ago
In-depth analysis of the new Team9 malware family