Bazar
Associated Software Descriptions |
|
Name | Description |
---|---|
Team9 | (Citation: Cybereason Bazar July 2020)(Citation: NCC Group Team9 June 2020) |
KEGTAP | (Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: CrowdStrike Wizard Spider October 2020) |
Bazaloader | (Citation: Microsoft Ransomware as a Service) |
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1087 | .001 | Account Discovery: Local Account |
Bazar can identify administrator accounts on an infected host.(Citation: NCC Group Team9 June 2020) |
.002 | Account Discovery: Domain Account |
Bazar has the ability to identify domain administrator accounts.(Citation: NCC Group Team9 June 2020)(Citation: DFIR Ryuk's Return October 2020) |
||
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Bazar can use HTTP and HTTPS over ports 80 and 443 in C2 communications.(Citation: Cybereason Bazar July 2020)(Citation: NCC Group Team9 June 2020)(Citation: DFIR Conti Bazar Nov 2021) |
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Bazar can create or add files to Registry Run Keys to establish persistence.(Citation: Cybereason Bazar July 2020)(Citation: NCC Group Team9 June 2020) |
.004 | Boot or Logon Autostart Execution: Winlogon Helper DLL |
Bazar can use Winlogon Helper DLL to establish persistence.(Citation: Zscaler Bazar September 2020) |
||
.009 | Boot or Logon Autostart Execution: Shortcut Modification |
Bazar can establish persistence by writing shortcuts to the Windows Startup folder.(Citation: Cybereason Bazar July 2020)(Citation: NCC Group Team9 June 2020) |
||
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
Bazar can execute a PowerShell script received from C2.(Citation: NCC Group Team9 June 2020)(Citation: CrowdStrike Wizard Spider October 2020) |
.003 | Command and Scripting Interpreter: Windows Command Shell |
Bazar can launch cmd.exe to perform reconnaissance commands.(Citation: Cybereason Bazar July 2020)(Citation: Zscaler Bazar September 2020) |
||
Enterprise | T1568 | .002 | Dynamic Resolution: Domain Generation Algorithms |
Bazar can implement DGA using the current date as a seed variable.(Citation: Cybereason Bazar July 2020) |
Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
Bazar can send C2 communications with XOR encryption.(Citation: NCC Group Team9 June 2020) |
.002 | Encrypted Channel: Asymmetric Cryptography |
Bazar can use TLS in C2 communications.(Citation: Zscaler Bazar September 2020) |
||
Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
Bazar has manually loaded ntdll from disk in order to identity and remove API hooks set by security products.(Citation: NCC Group Team9 June 2020) |
Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
Bazar can delete its loader using a batch file in the Windows temporary folder.(Citation: NCC Group Team9 June 2020) |
.009 | Indicator Removal: Clear Persistence |
Bazar's loader can delete scheduled tasks created by a previous instance of the malware.(Citation: NCC Group Team9 June 2020) |
||
Enterprise | T1036 | .004 | Masquerading: Masquerade Task or Service |
Bazar can create a task named to appear benign.(Citation: Cybereason Bazar July 2020) |
.005 | Masquerading: Match Legitimate Name or Location |
The Bazar loader has named malicious shortcuts "adobe" and mimicked communications software.(Citation: Cybereason Bazar July 2020)(Citation: NCC Group Team9 June 2020)(Citation: CrowdStrike Wizard Spider October 2020) |
||
.007 | Masquerading: Double File Extension |
The Bazar loader has used dual-extension executable files such as PreviewReport.DOC.exe.(Citation: Cybereason Bazar July 2020) |
||
Enterprise | T1027 | .002 | Obfuscated Files or Information: Software Packing |
Bazar has a variant with a packed payload.(Citation: Cybereason Bazar July 2020)(Citation: Zscaler Bazar September 2020) |
.007 | Obfuscated Files or Information: Dynamic API Resolution |
Bazar can hash then resolve API calls at runtime.(Citation: Cybereason Bazar July 2020)(Citation: NCC Group Team9 June 2020) |
||
.013 | Obfuscated Files or Information: Encrypted/Encoded File |
Bazar has used XOR, RSA2, and RC4 encrypted files.(Citation: Cybereason Bazar July 2020)(Citation: NCC Group Team9 June 2020)(Citation: CrowdStrike Wizard Spider October 2020) |
||
Enterprise | T1566 | .002 | Phishing: Spearphishing Link |
Bazar has been spread via emails with embedded malicious links.(Citation: Cybereason Bazar July 2020)(Citation: Zscaler Bazar September 2020)(Citation: CrowdStrike Wizard Spider October 2020) |
Enterprise | T1055 | .012 | Process Injection: Process Hollowing |
Bazar can inject into a target process including Svchost, Explorer, and cmd using process hollowing.(Citation: Cybereason Bazar July 2020)(Citation: NCC Group Team9 June 2020) |
.013 | Process Injection: Process Doppelgänging |
Bazar can inject into a target process using process doppelgänging.(Citation: Cybereason Bazar July 2020)(Citation: NCC Group Team9 June 2020) |
||
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
Bazar can create a scheduled task for persistence.(Citation: Cybereason Bazar July 2020)(Citation: NCC Group Team9 June 2020) |
Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
Bazar can identify the installed antivirus engine.(Citation: Cybereason Bazar July 2020) |
Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
Bazar has been signed with fake certificates including those appearing to be from VB CORPORATE PTY. LTD.(Citation: Cybereason Bazar July 2020) |
Enterprise | T1614 | .001 | System Location Discovery: System Language Discovery |
Bazar can perform a check to ensure that the operating system's keyboard and language settings are not set to Russian.(Citation: NCC Group Team9 June 2020) |
Enterprise | T1204 | .001 | User Execution: Malicious Link |
Bazar can gain execution after a user clicks on a malicious link to decoy landing pages hosted on Google Docs.(Citation: Cybereason Bazar July 2020)(Citation: Zscaler Bazar September 2020)(Citation: CrowdStrike Wizard Spider October 2020) |
Enterprise | T1497 | .003 | Virtualization/Sandbox Evasion: Time Based Evasion |
Bazar can use a timer to delay execution of core functionality.(Citation: NCC Group Team9 June 2020) |
Groups That Use This Software |
||
ID | Name | References |
---|---|---|
G1011 | EXOTIC LILY |
(Citation: Google EXOTIC LILY March 2022) |
G0102 | Wizard Spider |
(Citation: Microsoft Ransomware as a Service) (Citation: CrowdStrike Wizard Spider October 2020) |
(Citation: DFIR Conti Bazar Nov 2021) |
References
- Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020.
- Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020.
- Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.
- Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.
- Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021.
- Stolyarov, V. (2022, March 17). Exposing initial access broker with ties to Conti. Retrieved August 18, 2022.
- Sadique, M. and Singh, A. (2020, September 29). Spear Phishing Campaign Delivers Buer and Bazar Malware. Retrieved November 19, 2020.
- The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020.
- DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.