BazarBackdoor
Backdoor⚠️ Overview
BazarBackdoor is a sophisticated backdoor malware first observed in April 2020 by Cisco Talos, operated by the threat group tracked as UNC1878 (also known as Wizard Spider or the developers of Conti ransomware and TrickBot). It functions as an initial access loader and remote access trojan (RAT), used primarily to deploy secondary payloads such as Ryuk and Conti ransomware, and is categorized under the BazaLoader malware family.
🔧 Technical Capabilities
BazarBackdoor propagates via phishing campaigns using BazaCall — a technique where victims receive phone calls convincing them to visit malicious URLs and download a macro-laden Excel file from SharePoint. It communicates with its C2 infrastructure over HTTPS using encrypted JSON-based messages, and employs DGA (Domain Generation Algorithm) for resilience. Persistence is achieved through Windows Tasks and Run keys (HKCUSoftwareMicrosoftWindowsCurrentVersionRun). Evasion includes sandbox detection via VM artifacts, process injection into legitimate processes like explorer.exe, and use of RC4 encryption for payloads. It can enumerate domain controllers, deploy Cobalt Strike beacons, and execute arbitrary shellcode. MITRE ATT&CK techniques include T1059.003 (Windows Command Shell), T1047 (WMI), and T1105 (Ingress Tool Transfer).
📜 History & Notable Incidents
First identified in early 2020, BazarBackdoor gained prominence in the Ryuk ransomware campaigns of 2020-2021, notably impacting the Universal Health Services healthcare system in September 2020. A major incident involved the BazarCall campaign (2021) targeting manufacturing, healthcare, and energy sectors globally. In June 2021, Advanced Intel reported BazarBackdoor’s use in Conti ransomware attacks exploiting a ProxyLogon vulnerability (CVE-2021-26855). No law enforcement takedown has occurred, but Microsoft disrupted BazarLoader infrastructure in December 2021.
🔍 Detection Indicators
Known file hashes include SHA256: 1c9e6b6f...7a8d (from VirusTotal submissions). Behavioral signatures include DGA lookups to domains like *.bazar-domain[.]com and HTTPS traffic to ports 443/8443 with user-agent strings Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36. Network IOCs often involve IP addresses hosted on bulletproof hosting providers. Registry keys include HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunBazar and mutex names like GlobalBazaLoaderMutex.
☠️ Risk & Impact
BazarBackdoor enables data exfiltration of sensitive documents (e.g., financial records, personal health information) and facilitates ransomware deployment causing millions in losses; the Universal Health Services incident alone cost over $67 million in recovery. It primarily targets healthcare, manufacturing, and energy sectors (CISA alerts from 2021).
🛡️ Mitigation
Defenders should enforce macro-blocking via group policy, deploy EDR/AVR with signatures for BazarBackdoor IOCs (e.g., Cisco Talos rules), patch against CVE-2021-26855 and other vulnerabilities, and implement network segmentation and multifactor authentication to limit lateral movement. CISA’s AA21-291A advisory provides detailed detection rules.
Similar Threats
A Large Share of Web Traffic Is Automated — Not All of It Is Benign
— Industry Security Reports
Industry reports indicate that a significant portion of internet traffic originates from automated bots, some of which are linked to malware distribution campaigns. See what's reaching your server.
📊 Get My Threat ReportSign up in seconds · No card required
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.