Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Bazar

Bazar is a downloader and backdoor that has been used since at least April 2020, with infections primarily against professional services, healthcare, manufacturing, IT, logistics and travel companies across the US and Europe. Bazar reportedly has ties to TrickBot campaigns and can be used to deploy additional malware, including ransomware, and to steal sensitive data.(Citation: Cybereason Bazar July 2020)
ID: S0534
Associated Software: Team9 KEGTAP Bazaloader
Type: MALWARE
Platforms: Windows
Version: 2.0
Created: 18 Nov 2020
Last Modified: 04 Dec 2023

Associated Software Descriptions

Name Description
Team9 (Citation: Cybereason Bazar July 2020)(Citation: NCC Group Team9 June 2020)
KEGTAP (Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: CrowdStrike Wizard Spider October 2020)
Bazaloader (Citation: Microsoft Ransomware as a Service)

Techniques Used

Domain ID Name Use
Enterprise T1087 .001 Account Discovery: Local Account

Bazar can identify administrator accounts on an infected host.(Citation: NCC Group Team9 June 2020)

.002 Account Discovery: Domain Account

Bazar has the ability to identify domain administrator accounts.(Citation: NCC Group Team9 June 2020)(Citation: DFIR Ryuk's Return October 2020)

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Bazar can use HTTP and HTTPS over ports 80 and 443 in C2 communications.(Citation: Cybereason Bazar July 2020)(Citation: NCC Group Team9 June 2020)(Citation: DFIR Conti Bazar Nov 2021)

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Bazar can create or add files to Registry Run Keys to establish persistence.(Citation: Cybereason Bazar July 2020)(Citation: NCC Group Team9 June 2020)

.004 Boot or Logon Autostart Execution: Winlogon Helper DLL

Bazar can use Winlogon Helper DLL to establish persistence.(Citation: Zscaler Bazar September 2020)

.009 Boot or Logon Autostart Execution: Shortcut Modification

Bazar can establish persistence by writing shortcuts to the Windows Startup folder.(Citation: Cybereason Bazar July 2020)(Citation: NCC Group Team9 June 2020)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Bazar can execute a PowerShell script received from C2.(Citation: NCC Group Team9 June 2020)(Citation: CrowdStrike Wizard Spider October 2020)

.003 Command and Scripting Interpreter: Windows Command Shell

Bazar can launch cmd.exe to perform reconnaissance commands.(Citation: Cybereason Bazar July 2020)(Citation: Zscaler Bazar September 2020)

Enterprise T1568 .002 Dynamic Resolution: Domain Generation Algorithms

Bazar can implement DGA using the current date as a seed variable.(Citation: Cybereason Bazar July 2020)

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Bazar can send C2 communications with XOR encryption.(Citation: NCC Group Team9 June 2020)

.002 Encrypted Channel: Asymmetric Cryptography

Bazar can use TLS in C2 communications.(Citation: Zscaler Bazar September 2020)

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Bazar has manually loaded ntdll from disk in order to identity and remove API hooks set by security products.(Citation: NCC Group Team9 June 2020)

Enterprise T1070 .004 Indicator Removal: File Deletion

Bazar can delete its loader using a batch file in the Windows temporary folder.(Citation: NCC Group Team9 June 2020)

.009 Indicator Removal: Clear Persistence

Bazar's loader can delete scheduled tasks created by a previous instance of the malware.(Citation: NCC Group Team9 June 2020)

Enterprise T1036 .004 Masquerading: Masquerade Task or Service

Bazar can create a task named to appear benign.(Citation: Cybereason Bazar July 2020)

.005 Masquerading: Match Legitimate Name or Location

The Bazar loader has named malicious shortcuts "adobe" and mimicked communications software.(Citation: Cybereason Bazar July 2020)(Citation: NCC Group Team9 June 2020)(Citation: CrowdStrike Wizard Spider October 2020)

.007 Masquerading: Double File Extension

The Bazar loader has used dual-extension executable files such as PreviewReport.DOC.exe.(Citation: Cybereason Bazar July 2020)

Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

Bazar has a variant with a packed payload.(Citation: Cybereason Bazar July 2020)(Citation: Zscaler Bazar September 2020)

.007 Obfuscated Files or Information: Dynamic API Resolution

Bazar can hash then resolve API calls at runtime.(Citation: Cybereason Bazar July 2020)(Citation: NCC Group Team9 June 2020)

.013 Obfuscated Files or Information: Encrypted/Encoded File

Bazar has used XOR, RSA2, and RC4 encrypted files.(Citation: Cybereason Bazar July 2020)(Citation: NCC Group Team9 June 2020)(Citation: CrowdStrike Wizard Spider October 2020)

Enterprise T1566 .002 Phishing: Spearphishing Link

Bazar has been spread via emails with embedded malicious links.(Citation: Cybereason Bazar July 2020)(Citation: Zscaler Bazar September 2020)(Citation: CrowdStrike Wizard Spider October 2020)

Enterprise T1055 .012 Process Injection: Process Hollowing

Bazar can inject into a target process including Svchost, Explorer, and cmd using process hollowing.(Citation: Cybereason Bazar July 2020)(Citation: NCC Group Team9 June 2020)

.013 Process Injection: Process Doppelgänging

Bazar can inject into a target process using process doppelgänging.(Citation: Cybereason Bazar July 2020)(Citation: NCC Group Team9 June 2020)

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Bazar can create a scheduled task for persistence.(Citation: Cybereason Bazar July 2020)(Citation: NCC Group Team9 June 2020)

Enterprise T1518 .001 Software Discovery: Security Software Discovery

Bazar can identify the installed antivirus engine.(Citation: Cybereason Bazar July 2020)

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

Bazar has been signed with fake certificates including those appearing to be from VB CORPORATE PTY. LTD.(Citation: Cybereason Bazar July 2020)

Enterprise T1614 .001 System Location Discovery: System Language Discovery

Bazar can perform a check to ensure that the operating system's keyboard and language settings are not set to Russian.(Citation: NCC Group Team9 June 2020)

Enterprise T1204 .001 User Execution: Malicious Link

Bazar can gain execution after a user clicks on a malicious link to decoy landing pages hosted on Google Docs.(Citation: Cybereason Bazar July 2020)(Citation: Zscaler Bazar September 2020)(Citation: CrowdStrike Wizard Spider October 2020)

Enterprise T1497 .003 Virtualization/Sandbox Evasion: Time Based Evasion

Bazar can use a timer to delay execution of core functionality.(Citation: NCC Group Team9 June 2020)

Groups That Use This Software

ID Name References
G1011 EXOTIC LILY

(Citation: Google EXOTIC LILY March 2022)

G0102 Wizard Spider

(Citation: Microsoft Ransomware as a Service) (Citation: CrowdStrike Wizard Spider October 2020)

(Citation: DFIR Conti Bazar Nov 2021)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.