Knock, Knock: BazarBackdoor Malware
Executive Summary
Operating since 2018, BazarLoader (also known as BazarBackdoor) is a type of malware, often attributed to the TrickBot Trojan, which typically utilizes spam emails and spear phishing campaigns as infection vectors to gain backdoor access their victim’s system. Criminals then use this backdoor to send follow-up malware for further exploitation. This includes, but is not limited to data exfiltration, website defacement, and to maintain persistence.
Since 2020, BazarLoader has increased in popularity as a malware downloader used by the well-known ransomware family, Ryuk — the group attributed to a third of all ransomware attacks in 2020.
According to Cyware:
“The malware is named BazarLoader since it uses Blockchain-DNS and Bazar domains for communicating with the controllers. More often, the names Baza or BazarLoader are used interchangeably to recognize this malware family.”
Network Analysis
This malware, including indicators of TrickBot, show up in the Malware-Traffic-Analysis.net exercise, ANGRYPOUTINE. Below, is the host network information for the exercise, provided on the exercise page.
LAN segment data
LAN segment range: 10.9.10.0/24 (10.9.10.0 through 10.9.10.255)
Domain: angrypoutine.com
Domain controller: 10.9.10.9 — ANGRYPOUTINE-DC
LAN segment gateway: 10.9.10.1
LAN segment broadcast address: 10.9.10.255
Investigation
Generally, there are IDS/IPS alerts provided with the packet capture analysis exercises, but there was none provided for this one. For all intents and purposes, that’s okay.
In Wireshark, the first thing to do, especially in this case —when there are no alerts, is to view the Protocol Hierarchy (Statistics > Protocol Hierarchy), to see a high-level overview of what sort of data was captured. As shown in Figure 1.1 below, 30.3% of the TCP data captured is HTTP web traffic. This at least gives us something to initially go off of.
To filter the traffic based on HTTP, either right-click Hypertext Transfer Protocol from the Protocol Hierarchy window, and click Selected, and then Close. Or just type http into the filter search box and press Enter, as shown in Figure 1.2, below.
The third packet, at 23:17:27 UTC, raises an eyebrow. It shows a GET request going out to the host, simpsonsavingss[.]com over TCP port 58131, a non-standard web traffic port. Spelling mistakes are also trademark indicators of a suspicious domain name. Let’s check it out on VirusTotal.
Seven scanning engines detected the URL as malicious. It’s a start.
Also necessary information, is who is communicating with who. This host’s (Destination) IP address, according to Wireshark, is 194[.]62.42.206. The victim’s (Source) IP address is 10[.]9.10.102 (this is in the subnet provided in the “LAN Segment Range” description).
Let’s check out the GET request, for more details.
Shown in red text (the client request), the file path is basically a bunch of random letters, and the filename “date1”. Shown in blue text (the server response), is a response code of 200 (connection successful), and a Windows executable. We can export this file and run it against the scanning engines. The actual filename is, in the HTTP Export Objects list, is “date1?BNLv65=pAAS”.
One scanning engine detected the file as malicious. The file’s SHA-256 hash value is b77cf793c9f33e9c848ba1b41388f62e7737087a9c20faec3e5aecedb402dc94.
Let’s also run the host’s IP address, 194[.]62.42.206, against the scanning engines, as well.
Again, the scan returns the IP address as malicious and suspicious. And there is the simpsonsavingss[.]com domain name again, associated with the IP address.
In the VirusTotal scan results, clicking on Community, there is an external link to a PasteBin URL, along with a hashtag for BazarLoader.
Developed by the same threat actors behind TrickBot, BazarLoader is a malicious program classified as a backdoor/loader Trojan. … This software can inject systems with different types of Trojans, ransomware, cryptominers and other malware. BazarLoader has been noted infecting affected devices with RYUK ransomware.
So far, the victim host appears to have installed a backdoor, by downloading a file through a compromised website. Based on what we know of BazarLoader, this makes sense.
As far as HTTP traffic is concerned, that was the only suspicious data. Let’s go back to the Protocol Hierarchy, and see what else looks interesting.
There is a noticeable amount of traffic via Transport Layer Security (TLS). Attackers certainly leverage encrypted communication protocols to establish connections with their target systems. Even though we don’t have the decryption key to decipher any encrypted data, we can still investigate for other indicators of attack.
Looking through the TLS traffic, the IP address 167[.]172.37.9, connecting over TCP port 58132 — another non-standard web traffic port — has an interesting self-signed TLS certificate, as shown in Figure 1.10 below.
The Common Name is identified as londonareloeli[.]uk. Again, with the non-sensical spelling, this seems a little odd for certificate issuer data. Let’s see what turns up on Google.
Only two search results were returned, but they both have a suspicious reputation on what appears to be certificate analysis websites.
Above, the analysis shows the alert “SSL certificate validation failed with (unable to get local issuer certificate)”.
Let’s search the IP address, 167[.]172.37.9, on VirusTotal.
Again, two scanning engines detected this IP address as malicious.
Conclusion
Based on my findings and research into the various key identifiers, this seems like a TrickBot operation, which used BazarLoader to establish a command and control (C2) channel.
In order to mitigate the risk of BazarBackdoor system compromise, organizations should focus on anti-phishing solutions (including regular user awareness training), reliable and up-to-date anti-malware software, and email gateways to block spam emails.