Куда я попал?

SECURITM это SGRC система, автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Подробнее

Bazar

Bazar is a downloader and backdoor that has been used since at least April 2020, with infections primarily against professional services, healthcare, manufacturing, IT, logistics and travel companies across the US and Europe. Bazar reportedly has ties to TrickBot campaigns and can be used to deploy additional malware, including ransomware, and to steal sensitive data.(Citation: Cybereason Bazar July 2020)

ID: S0534

Associated Software: Team9 KEGTAP

Type: MALWARE

Platforms: Windows

Version: 1.2

Created: 18 Nov 2020

Last Modified: 29 Sep 2022

Name	Description
Associated Software Descriptions
Team9	(Citation: Cybereason Bazar July 2020)(Citation: NCC Group Team9 June 2020)
KEGTAP	(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: CrowdStrike Wizard Spider October 2020)

Domain	ID		Name	Use
Techniques Used
Enterprise	T1087	.001	Account Discovery: Local Account	Bazar can identify administrator accounts on an infected host.(Citation: NCC Group Team9 June 2020)
		.002	Account Discovery: Domain Account	Bazar has the ability to identify domain administrator accounts.(Citation: NCC Group Team9 June 2020)(Citation: DFIR Ryuk's Return October 2020)
Enterprise	T1071	.001	Application Layer Protocol: Web Protocols	Bazar can use HTTP and HTTPS over ports 80 and 443 in C2 communications.(Citation: Cybereason Bazar July 2020)(Citation: NCC Group Team9 June 2020)(Citation: DFIR Conti Bazar Nov 2021)
Enterprise	T1547	.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	Bazar can create or add files to Registry Run Keys to establish persistence.(Citation: Cybereason Bazar July 2020)(Citation: NCC Group Team9 June 2020)
		.004	Boot or Logon Autostart Execution: Winlogon Helper DLL	Bazar can use Winlogon Helper DLL to establish persistence.(Citation: Zscaler Bazar September 2020)
		.009	Boot or Logon Autostart Execution: Shortcut Modification	Bazar can establish persistence by writing shortcuts to the Windows Startup folder.(Citation: Cybereason Bazar July 2020)(Citation: NCC Group Team9 June 2020)
Enterprise	T1059	.001	Command and Scripting Interpreter: PowerShell	Bazar can execute a PowerShell script received from C2.(Citation: NCC Group Team9 June 2020)(Citation: CrowdStrike Wizard Spider October 2020)
		.003	Command and Scripting Interpreter: Windows Command Shell	Bazar can launch cmd.exe to perform reconnaissance commands.(Citation: Cybereason Bazar July 2020)(Citation: Zscaler Bazar September 2020)
Enterprise	T1568	.002	Dynamic Resolution: Domain Generation Algorithms	Bazar can implement DGA using the current date as a seed variable.(Citation: Cybereason Bazar July 2020)
Enterprise	T1573	.001	Encrypted Channel: Symmetric Cryptography	Bazar can send C2 communications with XOR encryption.(Citation: NCC Group Team9 June 2020)
		.002	Encrypted Channel: Asymmetric Cryptography	Bazar can use TLS in C2 communications.(Citation: Zscaler Bazar September 2020)
Enterprise	T1562	.001	Impair Defenses: Disable or Modify Tools	Bazar has manually loaded ntdll from disk in order to identity and remove API hooks set by security products.(Citation: NCC Group Team9 June 2020)
Enterprise	T1070	.004	Indicator Removal: File Deletion	Bazar can delete its loader using a batch file in the Windows temporary folder.(Citation: NCC Group Team9 June 2020)
		.009	Indicator Removal: Clear Persistence	Bazar's loader can delete scheduled tasks created by a previous instance of the malware.(Citation: NCC Group Team9 June 2020)
Enterprise	T1036	.004	Masquerading: Masquerade Task or Service	Bazar can create a task named to appear benign.(Citation: Cybereason Bazar July 2020)
		.005	Masquerading: Match Legitimate Name or Location	The Bazar loader has named malicious shortcuts "adobe" and mimicked communications software.(Citation: Cybereason Bazar July 2020)(Citation: NCC Group Team9 June 2020)(Citation: CrowdStrike Wizard Spider October 2020)
		.007	Masquerading: Double File Extension	The Bazar loader has used dual-extension executable files such as PreviewReport.DOC.exe.(Citation: Cybereason Bazar July 2020)
Enterprise	T1027	.002	Obfuscated Files or Information: Software Packing	Bazar has a variant with a packed payload.(Citation: Cybereason Bazar July 2020)(Citation: Zscaler Bazar September 2020)
		.007	Obfuscated Files or Information: Dynamic API Resolution	Bazar can hash then resolve API calls at runtime.(Citation: Cybereason Bazar July 2020)(Citation: NCC Group Team9 June 2020)
Enterprise	T1566	.002	Phishing: Spearphishing Link	Bazar has been spread via emails with embedded malicious links.(Citation: Cybereason Bazar July 2020)(Citation: Zscaler Bazar September 2020)(Citation: CrowdStrike Wizard Spider October 2020)
Enterprise	T1055	.012	Process Injection: Process Hollowing	Bazar can inject into a target process including Svchost, Explorer, and cmd using process hollowing.(Citation: Cybereason Bazar July 2020)(Citation: NCC Group Team9 June 2020)
		.013	Process Injection: Process Doppelgänging	Bazar can inject into a target process using process doppelgänging.(Citation: Cybereason Bazar July 2020)(Citation: NCC Group Team9 June 2020)
Enterprise	T1053	.005	Scheduled Task/Job: Scheduled Task	Bazar can create a scheduled task for persistence.(Citation: Cybereason Bazar July 2020)(Citation: NCC Group Team9 June 2020)
Enterprise	T1518	.001	Software Discovery: Security Software Discovery	Bazar can identify the installed antivirus engine.(Citation: Cybereason Bazar July 2020)
Enterprise	T1553	.002	Subvert Trust Controls: Code Signing	Bazar has been signed with fake certificates including those appearing to be from VB CORPORATE PTY. LTD.(Citation: Cybereason Bazar July 2020)
Enterprise	T1614	.001	System Location Discovery: System Language Discovery	Bazar can perform a check to ensure that the operating system's keyboard and language settings are not set to Russian.(Citation: NCC Group Team9 June 2020)
Enterprise	T1204	.001	User Execution: Malicious Link	Bazar can gain execution after a user clicks on a malicious link to decoy landing pages hosted on Google Docs.(Citation: Cybereason Bazar July 2020)(Citation: Zscaler Bazar September 2020)(Citation: CrowdStrike Wizard Spider October 2020)
Enterprise	T1497	.003	Virtualization/Sandbox Evasion: Time Based Evasion	Bazar can use a timer to delay execution of core functionality.(Citation: NCC Group Team9 June 2020)

ID	Name	References
Groups That Use This Software
G1011	EXOTIC LILY	(Citation: Google EXOTIC LILY March 2022)
G0102	Wizard Spider	(Citation: CrowdStrike Wizard Spider October 2020)
		(Citation: DFIR Conti Bazar Nov 2021)

References

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.

Bazar

Associated Software Descriptions

Techniques Used

Groups That Use This Software

References