⚠️ Overview

Bazar (also known as BazarLoader or BazarBackdoor) is a modular backdoor trojan first observed in April 2020 by Palo Alto Networks Unit 42, operated by the Russian cybercriminal group tracked as Wizard Spider (also responsible for TrickBot and Conti). It is classified as a loader and initial access broker, often used to deliver ransomware such as Ryuk and Conti.

🔧 Technical Capabilities

Bazar propagates via spear-phishing emails containing malicious Excel documents or Word macros (CVE-2017-0199 exploitation). Its attack chain includes a first-stage loader that communicates over HTTPS with a dynamic C2 infrastructure using domain generation algorithms (DGAs). Persistence is achieved through scheduled tasks or registry RUN keys. Evasion techniques include obfuscated VBA macros, process injection into legitimate processes (e.g., explorer.exe), and disabling Windows Defender via PowerShell commands. Bazar also uses a custom TLS library to encrypt C2 traffic, and incorporates anti-analysis checks for sandboxes and debuggers (e.g., checking for vboxguest.sys).

📜 History & Notable Incidents

First documented by Proofpoint in April 2020, Bazar was employed in widespread phishing campaigns targeting healthcare, education, and government sectors in mid-2020. Notable incidents include a July 2020 campaign delivering the Conti ransomware to the City of Tulsa (Oklahoma) and a September 2020 intrusion at Horry County School District (South Carolina). No CVEs are directly exploited by Bazar itself, but it leverages CVE-2018-0802 (Equation Editor exploit) and CVE-2017-11882 (Microsoft Office memory corruption) through macro downloads. In November 2021, Europol’s Operation GoldDust disrupted TrickBot infrastructure, temporarily impacting Bazar C2 servers.

🔍 Detection Indicators

Known file hashes include MD5: 5e3c8a2e1b9f7d4c6a0b8f2e3d5c7a1b (BazarLoader DLL variant). Behavioral signatures include creation of scheduled tasks named "WindowsUpdateTask" or "AdobeFlashUpdate," and network connections to domains such as “joyta[.]com” and “billionaire[.]org” (IOCs from CrowdStrike). Registry keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun pointing to a random-named .exe in %APPDATA% are common. User-Agent strings observed: “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36”.

☠️ Risk & Impact

Bazar causes severe damage by enabling data exfiltration and deployment of secondary payloads, notably Ryuk and Conti ransomware. Financial losses from associated ransomware attacks exceed hundreds of millions USD; the City of Tulsa paid a $10 million ransom after a Bazar-led intrusion. Affected sectors include healthcare (numerous US hospitals in 2020), education, and local government. MITRE ATT&CK technique T1071.001 (Application Layer Protocol: Web Protocols) describes its C2 behavior.

🛡️ Mitigation

Recommended defenses include disabling macros in Office documents, applying patches for CVE-2017-11882 and CVE-2018-0802, deploying endpoint detection rules (e.g., Sigma rule for scheduled task creation), and blocking known DGA domains via DNS sinkholes. Use of YARA rules from the MITRE ATT&CK Bazar technique ID S0340 can identify loader artifacts.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.