Js Bazar
Berk Boyraz
Since April 2020, the Cybereason Nocturnus team has been investigating the emergence of the Bazar malware, a loader and backdoor used to collect data about the infected machine and to deploy additional malware. In this analysis, we show how the Bazar malware is sent via phishing emails that take advantage of the ongoing coronavirus pandemic, employee payroll reports, and customer complaints. The Bazar malware appears to have strong ties to Trickbot campaigns resembling those seen in the Trickbot-Anchor collaboration from December 2019. After further investigation, it is clear that the same infection chain delivers the Bazar loader instead of the usual Trickbot downloader.
The Bazar loader and Bazar backdoor are named after their use of EmerDNS blockchain domains. Using Bazar domains has been trending recently among cybercriminals because they are able to evade takedowns and sinkholing that disrupts botnet communications.
The Bazar loader gives the attacker its initial foothold in the environment, while the Bazar backdoor establishes persistence. Together, the loader and backdoor give threat actors the opportunity to deploy other payloads such as ransomware, and post-exploitation frameworks like CobaltStrike, as well as exfiltrate data and remotely execute commands on infected machines. The Bazar backdoor can lead to disrupted business continuity, data loss, and full compromise, undermining trust in an organization.
There are several different versions of the Bazar backdoor and its loader, which shows that the malware is under active development. This writeup dissects the Bazar loader and backdoor functionality alongside elements that show its ties to Trickbot collaborations similar to that of Trickbot-Anchor from 2019. Our analysis will focus mainly on the Bazar loader as it is especially evasive given our findings from its recent re-emergence.
Whereas more common Trickbot campaigns use malicious file attachments to launch Microsoft Office macros and download Trickbot, this campaign initially infects hosts with the Bazar loader via phishing emails sent using the Sendgrid email marketing platform. These emails contain links to decoy landing pages for document previews hosted in Google Docs.
The Bazar loader files are dual-extension executable files (such as PreviewReport.DOC.exe) signed with fake certificates such as VB CORPORATE PTY. LTD. This is consistent with the Trickbot group, which notoriously abuses the trust of certificate authorities by using signed loaders and malware to evade security product detection. Signed malware was seen in Trickbot-Anchor infections and will continue to play a role in future campaigns due to the ease of obtaining code-signing certificates and their effectiveness in evading security products.
The Team9 loader is examined first; then, we analyze the operational Bazar loader. Finally, we analyze an early development version of the malware, which is the Team9 backdoor. We summarize changes between loaders and backdoor versions as they are developed over time in the tables below.
To download the Bazar backdoor, the loader communicates with a remote server that sends the payload to the infected machine in encrypted format. On first inspection, the payload does not show a valid PE header. Reversing the Team9 loader sample shows a XOR key of the infection date, in the format YYYYMMDD (ISO 8601).
As shown in later stages of this report, the above is a shared mechanism with the obfuscated and packed variant. This loader variant creates a simple autorun key at CurrentVersion\Run, masqueraded as BackUp Mgr.
In the obfuscated and packed version of the loader, an uncommon API call is used to facilitate code injection. As seen in the image below, the loader uses VirtualAllocExNuma to allocate new memory and store the returned base address. The beginning of an obfuscated shellcode is copied to this address after being decrypted using an RC4 algorithm.In addition to the shellcode an additional PE can be seen in memory.
After the RSA2 key is imported from the key BLOB, the RC4 key is loaded into the RC4 BLOB. It is reversed, since it defaults to the little-endian format, and is finally appended with a trailing zero byte, which is an essential part of the key.
Copied to the previously allocated memory, this code deobfuscates several essential API calls at runtime, such as LoadLibraryA, GetProcAddress, VirtualAlloc and VirtualProtect, all of which will be used to resolve APIs and allocate memory to run the additional PE.
In general, the PE is highly obfuscated. Dedicated methods resolve additional strings and API calls at runtime, rendering the PE even more difficult to analyze. Below is an example of the method responsible for resolving the .bazar domains. It loads an obfuscated string, and deobfuscates it using the first character of the domain name as a XOR key for the rest of the string.
After setting up the scheduled task, the Bazar loader uses RegSetValueExA to write itself to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon. By doing so, the loader is able to execute on every system logon.
One noticeable feature is the evasive API-Hammering technique, that was also seen recently in a new Trickbot variant. In this case, the usage of 1550 calls to printf is intended to overload sandbox analysis with junk data and delay execution, since it logs API calls.
Another interesting finding is that Bazar Loader has now implemented a Domain Generation Algorithm using the current date as a seed. At the moment, it seems more of a backup, since in monitored live cases the IPs were contacted directly.
The Cybereason Nocturnus team has identified three versions of this backdoor since early April this year.Their modus operandi does not differ drastically and can be distinguished by their mutexes and obfuscation level.
Another interesting aspect of this version is how it uses a local address to fetch the data from the server. Given that this is an early dev version, the author may be using this method for test purposes.
After successfully gathering the data and connecting to the C2 server, the backdoor parses the command received in the HTTP response. Each char of the command is XORed with the next char in the generated MD5 string.
As seen in the above image, the Bazar backdoor can handle quite a few commands. This next section focuses on case 1, which retrieves various pieces of additional information on the infected machine.
The corresponding method to the value 1 is 0x3fab15b0 in this instance. This method collects additional data from the infected machine, such as its public IP address, computer name, and the installed Windows version.
After a machine is infected with Anchor, it uses openNIC resolvers to resolve a Bazar domain such as toexample[dot]bazar. It then sends bot callbacks with the following information to the remote server in the format shown below:
While the URI string has changed from Trickbot and Anchor variants, the phishing tactics and use of post-infection reconnaissance commands remains the same. In the Bazar backdoor, the tag (or gtag) used to identify Trickbot campaigns is removed from C2 URIs. It may have been moved to the cookie HTTP header parameter.
The decoupling of campaign tag and client machine name from the Bazar C2 server is specific to this backdoor. Because bot communications are often quickly terminated after infections are discovered, removing the campaign and client machine name from URIs results in reduced downtime, lowering the need to re-infect a machine.
In addition, similar phishing email tactics, Google Drive decoy previews, signed malware, and deceptive file icon use were observed in both of these campaigns. We observed reuse of likely compromised domains to host Bazar loaders that previously served Trickbot loaders. For example, the domain ruths-brownies[dot]com was used in a Trickbot campaign in January and hosted Bazar loaders in April 2020.
The Bazar malware has a new command-and-control pattern and botID that differs from Trickbot and Anchor, yet retains historical indicators of both malware families. Finally, the use of Emercoin (.bazar) domains were observed in Trickbot infections delivering Anchor from December 2019.
In this writeup, we associate the Bazar loader and Bazar backdoor with the threat actors behind Trickbot and our previous research on Anchor and Trickbot from December 2019. Based on our investigation, Cybereason estimates that the new malware family is the latest sophisticated tool in Trickbot gang's arsenal, that so far has been selectively observed on a handful of high-value targets.
The Bazar malware is focused on evasion, stealth, and persistence. The malware authors are actively testing a few versions of their malware, trying to obfuscate the code as much as possible, and hiding the final payload while executing it in the context of another process. To further evade detection, the Bazar loader and backdoor use a different network callback scheme from previously seen Trickbot-related malware.
The use of blockchain domains distinguishes the Bazar loader and Bazar backdoor as part of a family of threats that rely on alternate domain name systems such as EmerDNS domains. As we reported in Dropping The Anchor in December 2019, these alternate domain name systems have also been used in Trickbot Anchor campaigns. These systems provide bot infrastructure with protection from censorship and resilience to takedowns, making them invaluable for threat actors.
Although this malware is still in development stages, Cybereason estimates that its latest improvements and resurfacing can indicate the rise of a new formidable threat once fully ready for production.
Cybereason discovered a new toolset developed by Iranian APT Phosphorus which revealed a connection to Memento ransomware and includes the newly discovered PowerLess Backdoor that evades detection by running PowerShell in a .NET context...
c80f0f1006