CINXE.COM

<!doctype html><html class="no-js" lang="en"><head> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"> <meta name="author" content="Cybereason Nocturnus"> <meta name="description" content="Learn how the Bazar malware is sent via phishing emails that take advantage of the ongoing coronavirus pandemic, employee payroll reports, and customer complaints."> <meta name="generator" content="HubSpot"> <title>A Bazar of Tricks: Following Team9’s Development Cycles</title> <link rel="shortcut icon" href="https://www.cybereason.com/hubfs/cr-favicon-1.png"> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta property="og:description" content="Learn how the Bazar malware is sent via phishing emails that take advantage of the ongoing coronavirus pandemic, employee payroll reports, and customer complaints."> <meta property="og:title" content="A Bazar of Tricks: Following Team9’s Development Cycles"> <meta name="twitter:description" content="Learn how the Bazar malware is sent via phishing emails that take advantage of the ongoing coronavirus pandemic, employee payroll reports, and customer complaints."> <meta name="twitter:title" content="A Bazar of Tricks: Following Team9’s Development Cycles"> <style> a.cta_button{-moz-box-sizing:content-box !important;-webkit-box-sizing:content-box !important;box-sizing:content-box !important;vertical-align:middle}.hs-breadcrumb-menu{list-style-type:none;margin:0px 0px 0px 0px;padding:0px 0px 0px 0px}.hs-breadcrumb-menu-item{float:left;padding:10px 0px 10px 10px}.hs-breadcrumb-menu-divider:before{content:'›';padding-left:10px}.hs-featured-image-link{border:0}.hs-featured-image{float:right;margin:0 0 20px 20px;max-width:50%}@media (max-width: 568px){.hs-featured-image{float:none;margin:0;width:100%;max-width:100%}}.hs-screen-reader-text{clip:rect(1px, 1px, 1px, 1px);height:1px;overflow:hidden;position:absolute !important;width:1px} </style> <link rel="stylesheet" href="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/module_assets/41681847227/1644941386203/module_41681847227_CR_-_Malicious_Life_Network_--_Tier_One_Header.min.css"> <link rel="stylesheet" href="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/module_assets/41682410610/1644941443237/module_41682410610_CR_-_Malicious_Life_Network_--_Main_Hero.min.css"> <link rel="stylesheet" href="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/module_assets/43300360745/1724042214535/module_43300360745_CR_-_Malicious_Life_Network_--_Related_Posts.min.css"> <link rel="stylesheet" href="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/module_assets/1669911113479/module_86933076631_CR_-_Sticky_CTA_Bar.css"> <link rel="stylesheet" href="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/module_assets/34473990280/1704383554067/module_34473990280_CR_-_Footer_Full__en_US.min.css">  <script> var _hsp = window._hsp = window._hsp || []; window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} var useGoogleConsentModeV2 = true; var waitForUpdateMillis = 1000; var hsLoadGtm = function loadGtm() { if(window._hsGtmLoadOnce) { return; } if (useGoogleConsentModeV2) { gtag('set','developer_id.dZTQ1Zm',true); gtag('consent', 'default', { 'ad_storage': 'denied', 'analytics_storage': 'denied', 'ad_user_data': 'denied', 'ad_personalization': 'denied', 'wait_for_update': waitForUpdateMillis }); _hsp.push(['useGoogleConsentModeV2']) } (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= 'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer','GTM-TJVVB7C'); window._hsGtmLoadOnce = true; }; _hsp.push(['addPrivacyConsentListener', function(consent){ if(consent.allowed || (consent.categories && consent.categories.analytics)){ hsLoadGtm(); } }]); </script>  <script src="https://use.typekit.net/vyv2ljd.js"></script> <script>try{Typekit.load({ async: false });}catch(e){}</script> <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.5.1/jquery.min.js"></script> <link rel="preload" href="/hubfs/__dam/fonts/ionicons.eot" as="font" type="font/otf" crossorigin> <link rel="preload" href="/hubfs/dam/fonts/criteria/Criteria-CF-Regular.woff2" as="font" type="font/woff2" crossorigin> <link rel="preload" href="/hubfs/dam/fonts/criteria/Criteria-CF-Medium.woff2" as="font" type="font/woff2" crossorigin> <link rel="preload" href="/hubfs/dam/fonts/peristyle/Peristyle-Black.woff2" as="font" type="font/woff2" crossorigin> <link rel="amphtml" href="https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles?hs_amp=true"> <meta property="og:image" content="https://www.cybereason.com/hubfs/bazar-of-tricks-blog-image.png"> <meta property="og:image:width" content="1767"> <meta property="og:image:height" content="777"> <meta name="twitter:image" content="https://www.cybereason.com/hubfs/bazar-of-tricks-blog-image.png"> <meta property="og:url" content="https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles"> <meta name="twitter:card" content="summary_large_image"> <meta name="twitter:creator" content="@cr_nocturnus"> <link rel="canonical" href="https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles"> <meta property="og:type" content="article"> <link rel="alternate" type="application/rss+xml" href="https://www.cybereason.com/blog/rss.xml"> <meta name="twitter:domain" content="www.cybereason.com"> <script src="//platform.linkedin.com/in.js" type="text/javascript"> lang: en_US </script> <meta http-equiv="content-language" content="en"> <link rel="stylesheet" href="//7052064.fs1.hubspotusercontent-na1.net/hub/7052064/hub_generated/template_assets/1732054426091/hubspot/hubspot_default/shared/responsive/layout.min.css"> <link rel="stylesheet" href="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/template_assets/34470223313/1696396395659/__CR_Web_Platform/CSS/cr-master__cta.min.css"> <link rel="stylesheet" href="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/template_assets/34470477360/1710134689941/__CR_Web_Platform/CSS/cr-master__main.min.css"> <link rel="stylesheet" href="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/template_assets/35275979682/1642096258129/__CR_Web_Platform/CSS/ionicons.min.css"> <link rel="stylesheet" href="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/template_assets/42760289143/1724041950600/__CR_Web_Platform/CSS/cr-mln__build.min.css"> <link rel="stylesheet" href="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/template_assets/34470224480/1635957556830/__CR_Web_Platform/CSS/bulma/cr-framework__bulma-columns.min.css"> <link rel="stylesheet" href="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/template_assets/35291999472/1696396871390/__CR_Web_Platform/CSS/bulma/cr-framework__bulma.min.css"> <link rel="stylesheet" href="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/template_assets/42363645447/1635957556555/__CR_Web_Platform/CSS/hamburger-animation.min.css"> <link rel="stylesheet" href="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/template_assets/42507091846/1635957557027/__CR_Web_Platform/CSS/animate.min.css"> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css"> <link rel="preconnect" href="https://fonts.googleapis.com"> <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin> <link href="https://fonts.googleapis.com/css2?family=Inter:wght@100;200;300;400;500;600;700;800;900&display=swap" rel="stylesheet"> <script src="/hubfs/dam/plugins/marker-animation.js"></script> <script> $(document).ready(function() { $('.highlight').markerAnimation({ "color":'var(--cr-yellow)', "font_weight":'normal', "background-size": '200% 1.2em' }); }); </script> <style> .cr-mln__blog-post .container-is-blog.cr-mln__blog-post--body .column:nth-of-type(2) img { background: #FFFFFF; border: 1px solid #CCCCCC; border-radius: 5px 5px 5px 5px; padding: 10px; } </style> </head> <body class=" hs-content-id-32111010251 hs-blog-post hs-blog-id-5272851739" style="">  <noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-TJVVB7C" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>  <div class="header-container-wrapper"> <div class="header-container container-fluid"> <div class="row-fluid-wrapper row-depth-1 row-number-1 "> <div class="row-fluid "> <div class="span12 widget-span widget-type-custom_widget " style="" data-widget-type="custom_widget" data-x="0" data-w="12"> <div id="hs_cos_wrapper_module_1615433790649568" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"><section id="cr-malicious-life-network__tier-one-header" class="position-flex"> <div class="#"> <div id="logo"><a href="https://www.cybereason.com"><img src="https://www.cybereason.com/hubfs/dam/images/images-web/logos/cr-brand/cr-logo-inline--primary-black.png"></a></div> <div id="back-to"> <a href="https://www.cybereason.com">Back to <span>Cybereason.com</span></a> </div>  <button class="hamburger hamburger--collapse" type="button"> <span class="hamburger-box"> <span class="hamburger-inner"></span> </span> </button> <div class="cr-mln__hamburger-menu--overlay"> <ul> <li><a href="https://www.cybereason.com/blog/all"><span class="underline">All Posts</span></a></li> <li><a href="/blog/category/research"><span class="underline">Research</span></a></li> <li><a href="/blog/category/podcasts"><span class="underline">Podcasts</span></a></li> <li><a href="/blog/category/webinars"><span class="underline">Webinars</span></a></li> <li><a href="/blog/category/resources"><span class="underline">Resources</span></a></li> <li><a href="/blog/category/videos"><span class="underline">Videos</span></a></li> <li><a href="/blog/category/news"><span class="underline">News</span></a></li> </ul> <div class="subscribe"> <a href="#blog-subscribe">Subscribe</a> </div> </div>  </div> </section></div> </div> </div> </div> <div class="row-fluid-wrapper row-depth-1 row-number-2 "> <div class="row-fluid "> <div class="span12 widget-span widget-type-custom_widget mln-homepage" style="" data-widget-type="custom_widget" data-x="0" data-w="12"> <div id="hs_cos_wrapper_module_1615433785464566" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"><section class="cr-malicious-life-network__hero-main base"> <div class="container-is-blog columns hero-content page-center"> <div class="column is-5-fullhd is-5-desktop is-12-touch"> <a href="/blog"><img class="cr-mln-logo" src="https://www.cybereason.com/hubfs/dam/images/images-web/logos/cr-brand/cr-malicious-life-logo-v2.png"></a> </div> <div class="column is-7-fullhd is-7-desktop is-hidden-mobile is-hidden-tablet-only"> <div class="cr-mln__search-subscribe"> <div class="cr-mln__search"> <a href="#cr-search-modal" class="search-btn"><img src="https://www.cybereason.com/hubfs/dam/images/images-web/blog-images/template-images/cr-blog-icon--search-dark-gray.png" alt="Search"></a> </div> <div class="cr-mln__subscribe"> <a class="btn-subscribe" href="#blog-subscribe">Subscribe</a> </div> </div> <div class="cr-mln__category-nav"> <ul> <li><a href="/blog/category/all"><span class="underline">All</span></a></li> <li><a href="/blog/category/research"><span class="underline">Research</span></a></li> <li><a href="/blog/category/podcasts"><span class="underline">Podcasts</span></a></li> <li><a href="/blog/category/webinars"><span class="underline">Webinars</span></a></li> <li><a href="/blog/category/resources"><span class="underline">Resources</span></a></li> <li><a href="/blog/category/videos"><span class="underline">Videos</span></a></li> <li><a href="/blog/category/news"><span class="underline">News</span></a></li> </ul> </div> </div> </div>  <div class="container-is-blog columns is-gapless is-hidden-desktop cr-mln__search-subscribe--mobile"> <div class="column"> <a class="search-btn">Search</a> </div> <div class="column"> <a class="#" href="#blog-subscribe">Subscribe</a> </div> </div>   <div id="cr-search-modal">  <div id="btn-close-modal" class="close-cr-search-modal"> X </div> <div class="modal-content"> <div class="container columns"> <div class="column"> <div class="cr-search-modal__search-bar"> <h3>Search</h3> <form action="/hs-search-results"> <input type="search" class="hs-search-field__input" name="term" autocomplete="on" placeholder="Search..."> <input type="hidden" name="type" value="BLOG_POST"> <input type="hidden" name="type" value="LISTING_PAGE"> <button type="submit" class="arrow"></button> </form> </div> </div> </div> </div> </div>  </section></div> </div> </div> </div> </div> </div> <div class="body-container-wrapper"> <div class="body-container container-fluid"> <div class="row-fluid-wrapper row-depth-1 row-number-1 "> <div class="row-fluid "> <div class="span12 widget-span widget-type-blog_content " style="" data-widget-type="blog_content" data-x="0" data-w="12"> <div class="cr-mln__blog-post"> <div class="container-is-blog columns is-multiline page-center"> <div class="column is-8-fullhd is-8-desktop is-offset-2-fullhd is-offset-2-desktop is-10-tablet is-offset-1-tablet"> <div class="featured-image"><img src="https://www.cybereason.com/hubfs/bazar-of-tricks-blog-image.png" alt=""></div> <h1><span id="hs_cos_wrapper_name" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="text">A Bazar of Tricks: Following Team9’s Development Cycles</span></h1> <div class="cr-mln__post-author-share"> <div id="hubspot-author_data" class="hubspot-editable cr-mln__post-meta" data-hubspot-form-id="author_data" data-hubspot-name="Blog Author"> <span class="descriptor">Written By</span> <p><span class="author">Cybereason Nocturnus</span></p> </div> </div> </div>   <div class="container-is-blog columns is-multiline page-center cr-mln__blog-post--body"> <div class="column is-7-fullhd is-7-desktop is-10-tablet is-10-mobile is-offset-1-fullhd is-offset-1-desktop is-offset-1-tablet is-offset-1-mobile"> <span id="hs_cos_wrapper_post_body" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_rich_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="rich_text"><p><strong>Research by:</strong> Daniel Frank, Mary Zhao and Assaf Dahan</p> <a id="key-findings" data-hs-anchor="true"></a> <h3>Key Findings</h3> <ul> <li><strong>A New Malware Family: </strong>The Cybereason Nocturnus team is tracking a new Bazar loader and backdoor that first emerged in April 2020 and has evolved continuously since. Bazar can be used to deploy additional malware, ransomware, and ultimately steal sensitive data from organizations.</li> <li><strong>Targeting the US and Europe: </strong>Bazar malware infections are specifically targeting  professional services, healthcare, manufacturing, IT, logistics and travel companies across the US and Europe. </li> <li><strong>With Loader and Backdoor Capabilities</strong>: Bazar leverages the Twilio SendGrid email platform and signed loader files to evade traditional security software in conjunction with a fileless backdoor to establish persistence. </li> <li><strong>Under Constant Development:</strong> Over the course of this investigation, it is evident that Bazar is under active development. More recently, the active campaigns have disappeared, but later reappeared with a new version, which indicates the group is under a development cycle.  </li> <li><strong>Evasive, Obfuscated Fileless Malware:</strong> This stealthy loader evades detection by abusing the trust of certificate authorities, much like previous Trickbot loaders. This loader, however, uses EmerDNS (.bazar) domains for command and control and is heavily obfuscated. It also uses anti-analysis techniques to thwart automated and manual analysis, and loads the encrypted backdoor solely in memory.</li> <li><strong>A Comeback After Two Months: </strong>After a two month hiatus, a new variant emerged in mid-June that improved on its stealth capabilities. This is similar to the modus operandi of other cybercriminal organizations in general and Trickbot in particular.</li> <li><strong>Trickbot Ties: </strong>The loader exhibits behaviors that tie it to previous Trickbot campaigns. Though several changes exist between the Anchor and Bazar malware, including differences in clientID generation, they share the same top-level Bazar domain C2. Unlike Trickbot and Anchor, the Bazar loader and backdoor decouple campaign and bot information in bot callbacks. Given these ties and how quickly Bazar is evolving, this may signal the attackers next generation of malware attacks.</li> </ul> <h3>table of contents</h3> <ul> <li><a href="#key-findings" rel=" noopener"><strong>Key Findings</strong></a></li> <li><a href="#intro" rel=" noopener"><strong>Introduction</strong></a></li> <li><a href="#infection-vector" rel=" noopener"><strong>Infection Vector</strong></a></li> <li><a href="#loader-and-backdoor-analyses" rel=" noopener"><strong>Loader and Backdoor Analysis</strong></a></li> <li><a href="#early-development-loader" rel=" noopener"><strong>The Early Development Loader (Team9)</strong></a></li> <li><a href="#operational-bazar-loader" rel=" noopener"><strong>The Operational Bazar Loader</strong></a></li> <li><a href="#new-operational-bazar-loader" rel=" noopener"><strong>The New Operational Bazar Loader</strong></a></li> <li><a href="#early-development-backdoor" rel=" noopener"><strong>The Early Development Backdoor (Team9)</strong></a></li> <li><a href="#trickbot-connection" rel=" noopener"><strong>The Trickbot Connection</strong></a></li> <li><a href="#conclusion" rel=" noopener"><strong>Conclusion</strong></a></li> <li><a href="#mitre-attack-techniques" rel=" noopener"><strong>MITRE ATT&CK Techniques</strong></a></li> <li><a href="#IOCs" rel=" noopener"><strong>IOCs</strong></a></li> </ul> <a id="intro" data-hs-anchor="true"></a> <h3>Introduction</h3> <p>Since April 2020, the Cybereason Nocturnus team has been investigating the emergence of the Bazar malware, a loader and backdoor used to collect data about the infected machine and to deploy additional malware. In this analysis, we show how the Bazar malware is sent via phishing emails that take advantage of the ongoing coronavirus pandemic, employee payroll reports, and customer complaints. The Bazar malware appears to have strong ties to Trickbot campaigns resembling those seen in the <a href="https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware">Trickbot-Anchor collaboration from December 2019</a>. After further investigation, it is clear that the same infection chain delivers the Bazar loader instead of the usual Trickbot downloader. </p> <p>The Bazar loader and Bazar backdoor are named after their use of <a href="https://emercoin.com/en/documentation/blockchain-services/emerdns/emerdns-introduction">EmerDNS blockchain</a> domains. Using Bazar domains has been trending recently among cybercriminals because they are able to evade takedowns and sinkholing that disrupts botnet communications. </p> <p>The Bazar loader gives the attacker its initial foothold in the environment, while the Bazar backdoor establishes persistence. Together, the loader and backdoor give threat actors the opportunity to deploy other payloads such as ransomware, and post-exploitation frameworks like CobaltStrike, as well as exfiltrate data and remotely execute commands on infected machines. The Bazar backdoor can lead to disrupted business continuity, data loss, and full compromise, undermining trust in an organization.</p> <p>There are several different versions of the Bazar backdoor and its loader, which shows that the malware is under active development. This writeup dissects the Bazar loader and backdoor functionality alongside elements that show its ties to Trickbot collaborations similar to that of Trickbot-Anchor from 2019. Our analysis will focus mainly on the Bazar loader as it is especially evasive given our findings from its recent re-emergence.</p> <p><img src="https://www.cybereason.com/hs-fs/hubfs/bazar-gif-final.gif?width=596&name=bazar-gif-final.gif" alt="bazar-gif-final" width="596" style="width: 596px; display: block; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/bazar-gif-final.gif?width=298&name=bazar-gif-final.gif 298w, https://www.cybereason.com/hs-fs/hubfs/bazar-gif-final.gif?width=596&name=bazar-gif-final.gif 596w, https://www.cybereason.com/hs-fs/hubfs/bazar-gif-final.gif?width=894&name=bazar-gif-final.gif 894w, https://www.cybereason.com/hs-fs/hubfs/bazar-gif-final.gif?width=1192&name=bazar-gif-final.gif 1192w, https://www.cybereason.com/hs-fs/hubfs/bazar-gif-final.gif?width=1490&name=bazar-gif-final.gif 1490w, https://www.cybereason.com/hs-fs/hubfs/bazar-gif-final.gif?width=1788&name=bazar-gif-final.gif 1788w" sizes="(max-width: 596px) 100vw, 596px"></p> <p style="font-size: 16px; text-align: center;">The Bazar loader infection chain starts from a phishing email link.</p> <br><a id="infection-vector" data-hs-anchor="true"></a> <h3>Infection Vector</h3> <p><img src="https://www.cybereason.com/hs-fs/hubfs/Bazar-2.png?width=876&name=Bazar-2.png" alt="Bazar-2" width="876" style="width: 876px; display: block; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/Bazar-2.png?width=438&name=Bazar-2.png 438w, https://www.cybereason.com/hs-fs/hubfs/Bazar-2.png?width=876&name=Bazar-2.png 876w, https://www.cybereason.com/hs-fs/hubfs/Bazar-2.png?width=1314&name=Bazar-2.png 1314w, https://www.cybereason.com/hs-fs/hubfs/Bazar-2.png?width=1752&name=Bazar-2.png 1752w, https://www.cybereason.com/hs-fs/hubfs/Bazar-2.png?width=2190&name=Bazar-2.png 2190w, https://www.cybereason.com/hs-fs/hubfs/Bazar-2.png?width=2628&name=Bazar-2.png 2628w" sizes="(max-width: 876px) 100vw, 876px"></p> <p style="font-size: 16px; text-align: center;"><i>The Bazar loader infection delivered via malicious link in a phishing email. </i></p> <p>Whereas more common Trickbot campaigns use malicious file attachments to launch Microsoft Office macros and download Trickbot, this campaign initially infects hosts with the Bazar loader via phishing emails sent using <a href="https://sendgrid.com/">the Sendgrid email marketing platform</a>. These emails contain links to decoy landing pages for document previews hosted in Google Docs. </p> <p><img src="https://www.cybereason.com/hs-fs/hubfs/Bazar-3.png?width=826&name=Bazar-3.png" alt="Bazar-3" width="826" style="width: 826px; display: block; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/Bazar-3.png?width=413&name=Bazar-3.png 413w, https://www.cybereason.com/hs-fs/hubfs/Bazar-3.png?width=826&name=Bazar-3.png 826w, https://www.cybereason.com/hs-fs/hubfs/Bazar-3.png?width=1239&name=Bazar-3.png 1239w, https://www.cybereason.com/hs-fs/hubfs/Bazar-3.png?width=1652&name=Bazar-3.png 1652w, https://www.cybereason.com/hs-fs/hubfs/Bazar-3.png?width=2065&name=Bazar-3.png 2065w, https://www.cybereason.com/hs-fs/hubfs/Bazar-3.png?width=2478&name=Bazar-3.png 2478w" sizes="(max-width: 826px) 100vw, 826px"></p> <p style="font-size: 16px; text-align: center;"><i>Coronavirus phishing email sent via Sendgrid email marketing with Google Docs links. </i></p> <p>Visiting the Google Docs landing page encourages the user to download a file. To convince users to download the files manually, the page states that document preview is not available.</p> <p><img src="https://www.cybereason.com/hs-fs/hubfs/Bazar-4.png?width=820&name=Bazar-4.png" alt="Bazar-4" width="820" style="width: 820px; display: block; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/Bazar-4.png?width=410&name=Bazar-4.png 410w, https://www.cybereason.com/hs-fs/hubfs/Bazar-4.png?width=820&name=Bazar-4.png 820w, https://www.cybereason.com/hs-fs/hubfs/Bazar-4.png?width=1230&name=Bazar-4.png 1230w, https://www.cybereason.com/hs-fs/hubfs/Bazar-4.png?width=1640&name=Bazar-4.png 1640w, https://www.cybereason.com/hs-fs/hubfs/Bazar-4.png?width=2050&name=Bazar-4.png 2050w, https://www.cybereason.com/hs-fs/hubfs/Bazar-4.png?width=2460&name=Bazar-4.png 2460w" sizes="(max-width: 820px) 100vw, 820px"></p> <p style="font-size: 16px; text-align: center;">The Bazar loader payload retrieval and net.exe commands post-infection. </p> <p>The Bazar loader files are dual-extension executable files (such as PreviewReport.DOC.exe) signed with fake certificates such as VB CORPORATE PTY. LTD. This is consistent with the Trickbot group, which notoriously abuses the trust of certificate authorities by using signed loaders and malware to evade security product detection. Signed malware was seen in Trickbot-Anchor infections and will continue to play a role in future campaigns due to the ease of <a href="https://medium.com/@chroniclesec/abusing-code-signing-for-profit-ef80a37b50f4">obtaining code-signing certificates</a> and their effectiveness in evading security products.</p> <p><img src="https://www.cybereason.com/hs-fs/hubfs/Bazar-5.png?width=793&name=Bazar-5.png" alt="Bazar-5" width="793" style="width: 793px; display: block; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/Bazar-5.png?width=397&name=Bazar-5.png 397w, https://www.cybereason.com/hs-fs/hubfs/Bazar-5.png?width=793&name=Bazar-5.png 793w, https://www.cybereason.com/hs-fs/hubfs/Bazar-5.png?width=1190&name=Bazar-5.png 1190w, https://www.cybereason.com/hs-fs/hubfs/Bazar-5.png?width=1586&name=Bazar-5.png 1586w, https://www.cybereason.com/hs-fs/hubfs/Bazar-5.png?width=1983&name=Bazar-5.png 1983w, https://www.cybereason.com/hs-fs/hubfs/Bazar-5.png?width=2379&name=Bazar-5.png 2379w" sizes="(max-width: 793px) 100vw, 793px"></p> <p style="font-size: 16px; text-align: center;">Trickbot and Bazar loader signed files.</p> <a id="loader-and-backdoor-analyses" data-hs-anchor="true"></a> <h3>Loader and Backdoor Analyses</h3> <p>The Cybereason Nocturnus team analyzed both development and operational versions of the Bazar loader and backdoor. To differentiate between the two versions for this writeup, we reserved the name “Team9” for the development versions and the name “Bazar” for the operational versions. </p> <p>The Team9 loader is examined first; then, we analyze the operational Bazar loader. Finally, we analyze an early development version of the malware, which is the Team9 backdoor. We summarize changes between loaders and backdoor versions as they are developed over time in the tables below.</p> <table style="border-color: #99acc2; border-collapse: collapse; table-layout: fixed; height: 124px;" cellpadding="4" border="1"> <tbody> <tr style="height: 31px;"> <td style="background-color: #eeeeee; height: 31px; width: 194px;"> <p><strong>Loader variant</strong></p> </td> <td style="background-color: #eeeeee; height: 31px; width: 194px;"> <p><strong>Creation date</strong></p> </td> <td style="background-color: #eeeeee; height: 31px; width: 195px;"> <p><strong>Mutex</strong></p> </td> <td style="background-color: #eeeeee; height: 31px; width: 195px;"> <p><strong>Log files (if any)</strong></p> </td> </tr> <tr style="height: 31px;"> <td style="height: 31px; width: 194px;"> <p><a href="#early-development-loader" rel=" noopener">Dev Version 1</a></p> </td> <td style="height: 31px; width: 194px;"> <p>April 9</p> </td> <td style="height: 31px; width: 195px;"> <p>n/a</p> </td> <td style="height: 31px; width: 195px;"> <p>ld_debuglog.txt</p> </td> </tr> <tr style="height: 31px;"> <td style="height: 31px; width: 194px;"> <p><a href="#operational-bazar-loader" rel=" noopener">Operational Loader</a></p> </td> <td style="height: 31px; width: 194px;"> <p>March 27 - April 20</p> </td> <td style="height: 31px; width: 195px;"> <p>ld_201127</p> </td> <td style="height: 31px; width: 195px;"> <p>n/a</p> </td> </tr> <tr style="height: 31px;"> <td style="height: 31px; width: 194px;"> <p><a href="#new-operational-bazar-loader" rel=" noopener">New Operational Loader</a></p> </td> <td style="height: 31px; width: 194px;"> <p>June 12 - June 18</p> </td> <td style="height: 31px; width: 195px;"> <p>ld_201127</p> </td> <td style="height: 31px; width: 195px;"> <p>n/a</p> </td> </tr> </tbody> </table> <p style="font-size: 16px; text-align: center;">Loader information</p> <table style="border-color: #99acc2; border-collapse: collapse; table-layout: fixed;" cellpadding="4" border="1"> <tbody> <tr> <td style="border-width: 1px; border-color: #000000; background-color: #eeeeee; width: 194px;"> <p><strong>Backdoor variant </strong></p> </td> <td style="border-width: 1px; border-color: #000000; background-color: #eeeeee; width: 194px;"> <p><strong>Creation date</strong></p> </td> <td style="border-width: 1px; border-color: #000000; background-color: #eeeeee; width: 195px;"> <p><strong>Mutex</strong></p> </td> <td style="border-width: 1px; border-color: #000000; background-color: #eeeeee; width: 195px;"> <p><strong>Log Files </strong><strong>(if any)</strong></p> </td> </tr> <tr> <td style="border-width: 1px; border-color: #000000; width: 194px;"> <p><a href="#early-development-backdoor" rel=" noopener">Dev Version 1 </a></p> </td> <td style="border-width: 1px; border-color: #000000; width: 194px;"> <p>April 7-9</p> </td> <td style="border-width: 1px; border-color: #000000; width: 195px;"> <p>MSCTF.[botID]</p> </td> <td style="border-width: 1px; border-color: #000000; width: 195px;"> <p>bd_debuglog.txt</p> </td> </tr> <tr> <td style="border-width: 1px; border-color: #000000; width: 194px;"> <p><a href="#early-development-backdoor" rel=" noopener">Dev Version 2</a></p> </td> <td style="border-width: 1px; border-color: #000000; width: 194px;"> <p>April 16-22</p> </td> <td style="border-width: 1px; border-color: #000000; width: 195px;"> <p>{589b7a4a-3776-4e82-8e7d-435471a6c03c} <br>AND <br>{517f1c3d-ffc0-4678-a4c0-6ab759e97501}</p> </td> <td style="border-width: 1px; border-color: #000000; width: 195px;"> <p>dl2.log</p> </td> </tr> <tr> <td style="border-width: 1px; border-color: #000000; width: 194px;"> <p><a href="#early-development-backdoor" rel=" noopener">Dev Version 2.1</a></p> </td> <td style="border-width: 1px; border-color: #000000; width: 194px;"> <p>April 17-23</p> </td> <td style="border-width: 1px; border-color: #000000; width: 195px;"> <p>{589b7a4a-3776-4e82-8e7d-435471a6c03c} </p> </td> <td style="border-width: 1px; border-color: #000000; width: 195px;"> <p>bd2.log</p> </td> </tr> <tr> <td style="border-width: 1px; border-color: #000000; width: 194px;"> <p><a href="#early-development-backdoor" rel=" noopener">Operational Backdoor</a></p> </td> <td style="border-width: 1px; border-color: #000000; width: 194px;"> <p>March 27 - April 22</p> </td> <td style="border-width: 1px; border-color: #000000; width: 195px;"> <p>mn_185445</p> </td> <td style="border-width: 1px; border-color: #000000; width: 195px;"> <p>n/a</p> </td> </tr> </tbody> </table> <p style="font-size: 16px; text-align: center;">Backdoor information</p> <a id="early-development-loader" data-hs-anchor="true"></a> <h3>The Early Development Loader (Team9)</h3> <p>Examining a development version of the loader, which contains ‘team9 loader’ strings, it downloads a XOR-encoded payload from a remote server, then decodes and injects the payload into a target process using <a href="https://attack.mitre.org/techniques/T1093/">process hollowing</a> or <a href="https://attack.mitre.org/techniques/T1186/">process doppelgänging</a> injection techniques. </p> <p>To download the Bazar backdoor, the loader communicates with a remote server that sends the payload to the infected machine in encrypted format. On first inspection, the payload does not show a valid PE header. Reversing the Team9 loader sample shows a XOR key of the infection date, in the format YYYYMMDD (ISO 8601).</p> <p><img src="https://www.cybereason.com/hs-fs/hubfs/Bazar-6.png?width=781&name=Bazar-6.png" alt="Bazar-6" width="781" style="width: 781px; display: block; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/Bazar-6.png?width=391&name=Bazar-6.png 391w, https://www.cybereason.com/hs-fs/hubfs/Bazar-6.png?width=781&name=Bazar-6.png 781w, https://www.cybereason.com/hs-fs/hubfs/Bazar-6.png?width=1172&name=Bazar-6.png 1172w, https://www.cybereason.com/hs-fs/hubfs/Bazar-6.png?width=1562&name=Bazar-6.png 1562w, https://www.cybereason.com/hs-fs/hubfs/Bazar-6.png?width=1953&name=Bazar-6.png 1953w, https://www.cybereason.com/hs-fs/hubfs/Bazar-6.png?width=2343&name=Bazar-6.png 2343w" sizes="(max-width: 781px) 100vw, 781px"></p> <p style="font-size: 16px; text-align: center;">Retrieving the system time to decrypt the payload.</p> <p>The loop responsible for the byte-by-byte decryption is represented in the image below.</p> <p><img src="https://www.cybereason.com/hs-fs/hubfs/Bazar-7.png?width=381&name=Bazar-7.png" alt="Bazar-7" width="381" style="width: 381px; display: block; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/Bazar-7.png?width=191&name=Bazar-7.png 191w, https://www.cybereason.com/hs-fs/hubfs/Bazar-7.png?width=381&name=Bazar-7.png 381w, https://www.cybereason.com/hs-fs/hubfs/Bazar-7.png?width=572&name=Bazar-7.png 572w, https://www.cybereason.com/hs-fs/hubfs/Bazar-7.png?width=762&name=Bazar-7.png 762w, https://www.cybereason.com/hs-fs/hubfs/Bazar-7.png?width=953&name=Bazar-7.png 953w, https://www.cybereason.com/hs-fs/hubfs/Bazar-7.png?width=1143&name=Bazar-7.png 1143w" sizes="(max-width: 381px) 100vw, 381px"></p> <p style="font-size: 16px; text-align: center;">Decryption loop for the date and time.</p> <p>As shown in later stages of this report, the above is a shared mechanism with the obfuscated and packed variant. This loader variant creates a simple autorun key at <i>CurrentVersion\Run, </i>masqueraded as <i>BackUp Mgr</i>.</p> <p><img src="https://www.cybereason.com/hs-fs/hubfs/Bazar-8.png?width=778&name=Bazar-8.png" alt="Bazar-8" width="778" style="width: 778px; display: block; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/Bazar-8.png?width=389&name=Bazar-8.png 389w, https://www.cybereason.com/hs-fs/hubfs/Bazar-8.png?width=778&name=Bazar-8.png 778w, https://www.cybereason.com/hs-fs/hubfs/Bazar-8.png?width=1167&name=Bazar-8.png 1167w, https://www.cybereason.com/hs-fs/hubfs/Bazar-8.png?width=1556&name=Bazar-8.png 1556w, https://www.cybereason.com/hs-fs/hubfs/Bazar-8.png?width=1945&name=Bazar-8.png 1945w, https://www.cybereason.com/hs-fs/hubfs/Bazar-8.png?width=2334&name=Bazar-8.png 2334w" sizes="(max-width: 778px) 100vw, 778px"></p> <p style="font-size: 16px; text-align: center;">The autorun key created by the Team9 loader.</p> <p>Once the payload is decoded correctly with a proper PE header, it is validated and then injected into memory. The process can be viewed is in the malware’s logs.</p> <p><img src="https://www.cybereason.com/hs-fs/hubfs/Bazar-9.png?width=791&name=Bazar-9.png" alt="Bazar-9" width="791" style="width: 791px; display: block; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/Bazar-9.png?width=396&name=Bazar-9.png 396w, https://www.cybereason.com/hs-fs/hubfs/Bazar-9.png?width=791&name=Bazar-9.png 791w, https://www.cybereason.com/hs-fs/hubfs/Bazar-9.png?width=1187&name=Bazar-9.png 1187w, https://www.cybereason.com/hs-fs/hubfs/Bazar-9.png?width=1582&name=Bazar-9.png 1582w, https://www.cybereason.com/hs-fs/hubfs/Bazar-9.png?width=1978&name=Bazar-9.png 1978w, https://www.cybereason.com/hs-fs/hubfs/Bazar-9.png?width=2373&name=Bazar-9.png 2373w" sizes="(max-width: 791px) 100vw, 791px"></p> <p style="font-size: 16px; text-align: center;">Contents of the log file (ld_debug.txt) show Bazar loader infection activity.</p> <p>Debug strings show the Bazar loader execution and payload retrieval status in a log file “ld_debuglog” indicating PE file signature verification and self-deletion capabilities. </p> <p>This variant places the debug logs in the hardcoded ‘admin’ user folder.</p> <p><img src="https://www.cybereason.com/hs-fs/hubfs/Bazar-10.png?width=567&name=Bazar-10.png" alt="Bazar-10" width="567" style="width: 567px; display: block; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/Bazar-10.png?width=284&name=Bazar-10.png 284w, https://www.cybereason.com/hs-fs/hubfs/Bazar-10.png?width=567&name=Bazar-10.png 567w, https://www.cybereason.com/hs-fs/hubfs/Bazar-10.png?width=851&name=Bazar-10.png 851w, https://www.cybereason.com/hs-fs/hubfs/Bazar-10.png?width=1134&name=Bazar-10.png 1134w, https://www.cybereason.com/hs-fs/hubfs/Bazar-10.png?width=1418&name=Bazar-10.png 1418w, https://www.cybereason.com/hs-fs/hubfs/Bazar-10.png?width=1701&name=Bazar-10.png 1701w" sizes="(max-width: 567px) 100vw, 567px"></p> <p style="font-size: 16px; text-align: center;">Bazar loader and backdoor debug logs.</p> <a id="operational-bazar-loader" data-hs-anchor="true"></a> <h3>The Operational Bazar Loader</h3> <p>In the obfuscated and packed version of the loader, an uncommon API call is used to facilitate code injection. As seen in the image below, the loader uses <i>VirtualAllocExNuma </i>to allocate new memory and store the returned base address. The beginning of an obfuscated shellcode is copied to this address after being decrypted using an RC4 algorithm.In addition to the shellcode an additional PE can be seen in memory.</p> <p><img src="https://www.cybereason.com/hs-fs/hubfs/Bazar-11.png?width=389&name=Bazar-11.png" alt="Bazar-11" width="389" style="width: 389px; display: block; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/Bazar-11.png?width=195&name=Bazar-11.png 195w, https://www.cybereason.com/hs-fs/hubfs/Bazar-11.png?width=389&name=Bazar-11.png 389w, https://www.cybereason.com/hs-fs/hubfs/Bazar-11.png?width=584&name=Bazar-11.png 584w, https://www.cybereason.com/hs-fs/hubfs/Bazar-11.png?width=778&name=Bazar-11.png 778w, https://www.cybereason.com/hs-fs/hubfs/Bazar-11.png?width=973&name=Bazar-11.png 973w, https://www.cybereason.com/hs-fs/hubfs/Bazar-11.png?width=1167&name=Bazar-11.png 1167w" sizes="(max-width: 389px) 100vw, 389px"></p> <p style="font-size: 16px; text-align: center;">Memory allocation and call to shellcode decryption.</p> <p>The Bazar loader also stores an RSA2 key that is used to open the RC4 key.</p> <p><img src="https://www.cybereason.com/hs-fs/hubfs/Bazar-12.png?width=602&name=Bazar-12.png" alt="Bazar-12" width="602" style="width: 602px; display: block; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/Bazar-12.png?width=301&name=Bazar-12.png 301w, https://www.cybereason.com/hs-fs/hubfs/Bazar-12.png?width=602&name=Bazar-12.png 602w, https://www.cybereason.com/hs-fs/hubfs/Bazar-12.png?width=903&name=Bazar-12.png 903w, https://www.cybereason.com/hs-fs/hubfs/Bazar-12.png?width=1204&name=Bazar-12.png 1204w, https://www.cybereason.com/hs-fs/hubfs/Bazar-12.png?width=1505&name=Bazar-12.png 1505w, https://www.cybereason.com/hs-fs/hubfs/Bazar-12.png?width=1806&name=Bazar-12.png 1806w" sizes="(max-width: 602px) 100vw, 602px"></p> <p style="font-size: 16px; text-align: center;">RSA2 BLOB as seen in the loader’s memory.</p> <p>Looking at the code of the ‘decrypt_shellcode_and_mz’ function, we see it is very similar to the one being used in an <a href="https://labs.vipre.com/trickbots-tricks/">earlier Trickbot variant</a> and <a href="https://www.deepinstinct.com/2019/07/22/trickbooster-a-deeper-dive-into-the-malware-that-successfully-harvested-over-250m-addresses/">TrickBooster</a>.</p> <p><img src="https://www.cybereason.com/hs-fs/hubfs/Bazar-13.png?width=600&name=Bazar-13.png" alt="Bazar-13" width="600" style="width: 600px; display: block; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/Bazar-13.png?width=300&name=Bazar-13.png 300w, https://www.cybereason.com/hs-fs/hubfs/Bazar-13.png?width=600&name=Bazar-13.png 600w, https://www.cybereason.com/hs-fs/hubfs/Bazar-13.png?width=900&name=Bazar-13.png 900w, https://www.cybereason.com/hs-fs/hubfs/Bazar-13.png?width=1200&name=Bazar-13.png 1200w, https://www.cybereason.com/hs-fs/hubfs/Bazar-13.png?width=1500&name=Bazar-13.png 1500w, https://www.cybereason.com/hs-fs/hubfs/Bazar-13.png?width=1800&name=Bazar-13.png 1800w" sizes="(max-width: 600px) 100vw, 600px"></p> <p style="font-size: 16px; text-align: center;">The shellcode decryption routine.</p> <p>After the RSA2 key is imported from the key <a href="https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/ns-wincrypt-publickeystruc">BLOB</a>, the RC4 key is loaded into the RC4 BLOB. It is reversed, since it defaults to the little-endian format, and is finally appended with a trailing zero byte, which is an essential part of the key.</p> <p><img src="https://www.cybereason.com/hs-fs/hubfs/Bazar-14.png?width=520&name=Bazar-14.png" alt="Bazar-14" width="520" style="width: 520px; display: block; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/Bazar-14.png?width=260&name=Bazar-14.png 260w, https://www.cybereason.com/hs-fs/hubfs/Bazar-14.png?width=520&name=Bazar-14.png 520w, https://www.cybereason.com/hs-fs/hubfs/Bazar-14.png?width=780&name=Bazar-14.png 780w, https://www.cybereason.com/hs-fs/hubfs/Bazar-14.png?width=1040&name=Bazar-14.png 1040w, https://www.cybereason.com/hs-fs/hubfs/Bazar-14.png?width=1300&name=Bazar-14.png 1300w, https://www.cybereason.com/hs-fs/hubfs/Bazar-14.png?width=1560&name=Bazar-14.png 1560w" sizes="(max-width: 520px) 100vw, 520px"></p> <p style="font-size: 16px; text-align: center;">The RC4 BLOB with the loaded key.</p> <p>When the data is decrypted, a relatively short shellcode precedes the MZ bytes.</p> <p><img src="https://www.cybereason.com/hs-fs/hubfs/Bazar-15.png?width=530&name=Bazar-15.png" alt="Bazar-15" width="530" style="width: 530px; display: block; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/Bazar-15.png?width=265&name=Bazar-15.png 265w, https://www.cybereason.com/hs-fs/hubfs/Bazar-15.png?width=530&name=Bazar-15.png 530w, https://www.cybereason.com/hs-fs/hubfs/Bazar-15.png?width=795&name=Bazar-15.png 795w, https://www.cybereason.com/hs-fs/hubfs/Bazar-15.png?width=1060&name=Bazar-15.png 1060w, https://www.cybereason.com/hs-fs/hubfs/Bazar-15.png?width=1325&name=Bazar-15.png 1325w, https://www.cybereason.com/hs-fs/hubfs/Bazar-15.png?width=1590&name=Bazar-15.png 1590w" sizes="(max-width: 530px) 100vw, 530px"></p> <p style="font-size: 16px; text-align: center;">The decrypted shellcode and PE.</p> <p>Copied to the previously allocated memory, this code deobfuscates several essential API calls at runtime, such as <i>LoadLibraryA, GetProcAddress, VirtualAlloc </i>and <i>VirtualProtect</i>, all of which will be used to resolve APIs and allocate memory to run the additional PE.</p> <p><img src="https://www.cybereason.com/hs-fs/hubfs/Bazar-17.png?width=637&name=Bazar-17.png" alt="Bazar-17" width="637" style="width: 637px; display: block; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/Bazar-17.png?width=319&name=Bazar-17.png 319w, https://www.cybereason.com/hs-fs/hubfs/Bazar-17.png?width=637&name=Bazar-17.png 637w, https://www.cybereason.com/hs-fs/hubfs/Bazar-17.png?width=956&name=Bazar-17.png 956w, https://www.cybereason.com/hs-fs/hubfs/Bazar-17.png?width=1274&name=Bazar-17.png 1274w, https://www.cybereason.com/hs-fs/hubfs/Bazar-17.png?width=1593&name=Bazar-17.png 1593w, https://www.cybereason.com/hs-fs/hubfs/Bazar-17.png?width=1911&name=Bazar-17.png 1911w" sizes="(max-width: 637px) 100vw, 637px"></p> <p style="font-size: 16px; text-align: center;">API resolving by the shellcode loader.</p> <p>The code loads more APIs to the soon-to-be-executed PE before finally jumping to the PE entry point.</p> <p><img src="https://www.cybereason.com/hs-fs/hubfs/Bazar-18.png?width=610&name=Bazar-18.png" alt="Bazar-18" width="610" style="width: 610px; display: block; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/Bazar-18.png?width=305&name=Bazar-18.png 305w, https://www.cybereason.com/hs-fs/hubfs/Bazar-18.png?width=610&name=Bazar-18.png 610w, https://www.cybereason.com/hs-fs/hubfs/Bazar-18.png?width=915&name=Bazar-18.png 915w, https://www.cybereason.com/hs-fs/hubfs/Bazar-18.png?width=1220&name=Bazar-18.png 1220w, https://www.cybereason.com/hs-fs/hubfs/Bazar-18.png?width=1525&name=Bazar-18.png 1525w, https://www.cybereason.com/hs-fs/hubfs/Bazar-18.png?width=1830&name=Bazar-18.png 1830w" sizes="(max-width: 610px) 100vw, 610px"></p> <p style="font-size: 16px; text-align: center;">Resolving APIs for the PE by the shellcode loader.</p> <p>Stepping into the loaded PE,Bazar loader tries to avoid targeting Russian users by checking if the Russian language is installed on the infected machine. It calls <i>setlocale</i>, deobfuscating the “Russia” string by adding 0xf4 to each character, and finally resolving and calling <i>StrStrA </i>to check if “Russia” is a substring of the current locale. If so, the loader terminates. The Bazar Backdoor repeats this step as well.</p> <p><img src="https://www.cybereason.com/hs-fs/hubfs/Bazar-19.png?width=655&name=Bazar-19.png" alt="Bazar-19" width="655" style="width: 655px; display: block; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/Bazar-19.png?width=328&name=Bazar-19.png 328w, https://www.cybereason.com/hs-fs/hubfs/Bazar-19.png?width=655&name=Bazar-19.png 655w, https://www.cybereason.com/hs-fs/hubfs/Bazar-19.png?width=983&name=Bazar-19.png 983w, https://www.cybereason.com/hs-fs/hubfs/Bazar-19.png?width=1310&name=Bazar-19.png 1310w, https://www.cybereason.com/hs-fs/hubfs/Bazar-19.png?width=1638&name=Bazar-19.png 1638w, https://www.cybereason.com/hs-fs/hubfs/Bazar-19.png?width=1965&name=Bazar-19.png 1965w" sizes="(max-width: 655px) 100vw, 655px"></p> <p style="font-size: 16px; text-align: center;">Checking for Russian language to determine if it should execute.</p> <p>In general, the PE is highly obfuscated. Dedicated methods resolve additional strings and API calls at runtime, rendering the PE even more difficult to analyze. Below is an example of the method responsible for resolving the <i>.bazar </i>domains. It loads an obfuscated string, and deobfuscates it using the first character of the domain name as a XOR key for the rest of the string.</p> <p><img src="https://www.cybereason.com/hs-fs/hubfs/Bazar-20.png?width=656&name=Bazar-20.png" alt="Bazar-20" width="656" style="width: 656px; display: block; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/Bazar-20.png?width=328&name=Bazar-20.png 328w, https://www.cybereason.com/hs-fs/hubfs/Bazar-20.png?width=656&name=Bazar-20.png 656w, https://www.cybereason.com/hs-fs/hubfs/Bazar-20.png?width=984&name=Bazar-20.png 984w, https://www.cybereason.com/hs-fs/hubfs/Bazar-20.png?width=1312&name=Bazar-20.png 1312w, https://www.cybereason.com/hs-fs/hubfs/Bazar-20.png?width=1640&name=Bazar-20.png 1640w, https://www.cybereason.com/hs-fs/hubfs/Bazar-20.png?width=1968&name=Bazar-20.png 1968w" sizes="(max-width: 656px) 100vw, 656px"></p> <p style="font-size: 16px; text-align: center;">Deobfuscating .bazar domains.</p> <p>A mutex name is deobfuscated and then copied before being passed to <i>CreateMutexExA</i> with the name “ld_201127”. </p> <p><img src="https://www.cybereason.com/hs-fs/hubfs/Bazar-21.png?width=643&name=Bazar-21.png" alt="Bazar-21" width="643" style="width: 643px; display: block; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/Bazar-21.png?width=322&name=Bazar-21.png 322w, https://www.cybereason.com/hs-fs/hubfs/Bazar-21.png?width=643&name=Bazar-21.png 643w, https://www.cybereason.com/hs-fs/hubfs/Bazar-21.png?width=965&name=Bazar-21.png 965w, https://www.cybereason.com/hs-fs/hubfs/Bazar-21.png?width=1286&name=Bazar-21.png 1286w, https://www.cybereason.com/hs-fs/hubfs/Bazar-21.png?width=1608&name=Bazar-21.png 1608w, https://www.cybereason.com/hs-fs/hubfs/Bazar-21.png?width=1929&name=Bazar-21.png 1929w" sizes="(max-width: 643px) 100vw, 643px"></p> <p style="text-align: center;">Mutex creation</p> <p>Once the Bazar loader downloads its payload, the Bazar backdoor, it is decrypted using the same method as the aforementioned <i>Team9</i> variant.</p> <p><img src="https://www.cybereason.com/hs-fs/hubfs/Bazar-22.png?width=426&name=Bazar-22.png" alt="Bazar-22" width="426" style="width: 426px; display: block; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/Bazar-22.png?width=213&name=Bazar-22.png 213w, https://www.cybereason.com/hs-fs/hubfs/Bazar-22.png?width=426&name=Bazar-22.png 426w, https://www.cybereason.com/hs-fs/hubfs/Bazar-22.png?width=639&name=Bazar-22.png 639w, https://www.cybereason.com/hs-fs/hubfs/Bazar-22.png?width=852&name=Bazar-22.png 852w, https://www.cybereason.com/hs-fs/hubfs/Bazar-22.png?width=1065&name=Bazar-22.png 1065w, https://www.cybereason.com/hs-fs/hubfs/Bazar-22.png?width=1278&name=Bazar-22.png 1278w" sizes="(max-width: 426px) 100vw, 426px"></p> <p style="font-size: 16px; text-align: center;">Decrypting the downloaded payload.</p> <p>Finally, the loader validates the PE header for successful decryption, then it continues to the next step, which is code injection by process hollowing.</p> <p><img src="https://www.cybereason.com/hs-fs/hubfs/Bazar-23.png?width=372&name=Bazar-23.png" alt="Bazar-23" width="372" style="width: 372px; display: block; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/Bazar-23.png?width=186&name=Bazar-23.png 186w, https://www.cybereason.com/hs-fs/hubfs/Bazar-23.png?width=372&name=Bazar-23.png 372w, https://www.cybereason.com/hs-fs/hubfs/Bazar-23.png?width=558&name=Bazar-23.png 558w, https://www.cybereason.com/hs-fs/hubfs/Bazar-23.png?width=744&name=Bazar-23.png 744w, https://www.cybereason.com/hs-fs/hubfs/Bazar-23.png?width=930&name=Bazar-23.png 930w, https://www.cybereason.com/hs-fs/hubfs/Bazar-23.png?width=1116&name=Bazar-23.png 1116w" sizes="(max-width: 372px) 100vw, 372px"></p> <p style="font-size: 16px; text-align: center;">System time retrieval, decryption, and header check of the downloaded payload.</p> <p>The loader tries three different processes: <i>svchost</i>, <i>explorer</i>, and <i>cmd, </i>similar to the functionality in the development version.</p> <p>After the code is successfully injected into one of the above processes, the loader uses several methods to autorun from the victim's machine. This implies that the code has not yet been finalized.</p> <p><img src="https://www.cybereason.com/hs-fs/hubfs/Bazar-24.png?width=411&name=Bazar-24.png" alt="Bazar-24" width="411" style="width: 411px; display: block; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/Bazar-24.png?width=206&name=Bazar-24.png 206w, https://www.cybereason.com/hs-fs/hubfs/Bazar-24.png?width=411&name=Bazar-24.png 411w, https://www.cybereason.com/hs-fs/hubfs/Bazar-24.png?width=617&name=Bazar-24.png 617w, https://www.cybereason.com/hs-fs/hubfs/Bazar-24.png?width=822&name=Bazar-24.png 822w, https://www.cybereason.com/hs-fs/hubfs/Bazar-24.png?width=1028&name=Bazar-24.png 1028w, https://www.cybereason.com/hs-fs/hubfs/Bazar-24.png?width=1233&name=Bazar-24.png 1233w" sizes="(max-width: 411px) 100vw, 411px"></p> <p style="font-size: 16px; text-align: center;">Bazar loader making sure it will autorun at any cost.</p> <p>First, the loader creates a scheduled task masquerading under the name <i>StartAd </i>- <i>Ad</i> as in <i>Adobe. </i>Other samples use a decoy Adobe icon with a double extension .<i>PDF.exe</i>, similar to the MS Word variant being analyzed here.</p> <p><img src="https://www.cybereason.com/hs-fs/hubfs/Bazar-25.png?width=627&name=Bazar-25.png" alt="Bazar-25" width="627" style="width: 627px; display: block; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/Bazar-25.png?width=314&name=Bazar-25.png 314w, https://www.cybereason.com/hs-fs/hubfs/Bazar-25.png?width=627&name=Bazar-25.png 627w, https://www.cybereason.com/hs-fs/hubfs/Bazar-25.png?width=941&name=Bazar-25.png 941w, https://www.cybereason.com/hs-fs/hubfs/Bazar-25.png?width=1254&name=Bazar-25.png 1254w, https://www.cybereason.com/hs-fs/hubfs/Bazar-25.png?width=1568&name=Bazar-25.png 1568w, https://www.cybereason.com/hs-fs/hubfs/Bazar-25.png?width=1881&name=Bazar-25.png 1881w" sizes="(max-width: 627px) 100vw, 627px"></p> <p style="font-size: 16px; text-align: center;">Creation of the scheduled task using taskschd.dll.</p> <p> The author is also set as <i>Adobe</i> for further deception.</p> <p><img src="https://www.cybereason.com/hs-fs/hubfs/Bazar-26.png?width=615&name=Bazar-26.png" alt="Bazar-26" width="615" style="width: 615px; display: block; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/Bazar-26.png?width=308&name=Bazar-26.png 308w, https://www.cybereason.com/hs-fs/hubfs/Bazar-26.png?width=615&name=Bazar-26.png 615w, https://www.cybereason.com/hs-fs/hubfs/Bazar-26.png?width=923&name=Bazar-26.png 923w, https://www.cybereason.com/hs-fs/hubfs/Bazar-26.png?width=1230&name=Bazar-26.png 1230w, https://www.cybereason.com/hs-fs/hubfs/Bazar-26.png?width=1538&name=Bazar-26.png 1538w, https://www.cybereason.com/hs-fs/hubfs/Bazar-26.png?width=1845&name=Bazar-26.png 1845w" sizes="(max-width: 615px) 100vw, 615px"></p> <p style="font-size: 16px; text-align: center;">The created task as seen in the Task Scheduler.</p> <p>After setting up the scheduled task, the Bazar loader uses <i>RegSetValueExA</i> to write itself to <i>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon.</i> By doing so, the loader is able to execute on every system logon.</p> <p><img src="https://www.cybereason.com/hs-fs/hubfs/Bazar-27.png?width=802&name=Bazar-27.png" alt="Bazar-27" width="802" style="width: 802px; display: block; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/Bazar-27.png?width=401&name=Bazar-27.png 401w, https://www.cybereason.com/hs-fs/hubfs/Bazar-27.png?width=802&name=Bazar-27.png 802w, https://www.cybereason.com/hs-fs/hubfs/Bazar-27.png?width=1203&name=Bazar-27.png 1203w, https://www.cybereason.com/hs-fs/hubfs/Bazar-27.png?width=1604&name=Bazar-27.png 1604w, https://www.cybereason.com/hs-fs/hubfs/Bazar-27.png?width=2005&name=Bazar-27.png 2005w, https://www.cybereason.com/hs-fs/hubfs/Bazar-27.png?width=2406&name=Bazar-27.png 2406w" sizes="(max-width: 802px) 100vw, 802px"></p> <p style="font-size: 16px; text-align: center;">Writing the malware to autorun from userinit.</p> <p>The Bazar loader will create another autorun entry by writing an <i>adobe.lnk</i> shortcut in the Windows Start menu Startup folder.</p> <p><img src="https://www.cybereason.com/hs-fs/hubfs/Bazar-28.png?width=639&name=Bazar-28.png" alt="Bazar-28" width="639" style="width: 639px; display: block; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/Bazar-28.png?width=320&name=Bazar-28.png 320w, https://www.cybereason.com/hs-fs/hubfs/Bazar-28.png?width=639&name=Bazar-28.png 639w, https://www.cybereason.com/hs-fs/hubfs/Bazar-28.png?width=959&name=Bazar-28.png 959w, https://www.cybereason.com/hs-fs/hubfs/Bazar-28.png?width=1278&name=Bazar-28.png 1278w, https://www.cybereason.com/hs-fs/hubfs/Bazar-28.png?width=1598&name=Bazar-28.png 1598w, https://www.cybereason.com/hs-fs/hubfs/Bazar-28.png?width=1917&name=Bazar-28.png 1917w" sizes="(max-width: 639px) 100vw, 639px"></p> <p style="font-size: 16px; text-align: center;">Writing the Bazar loader to the startup folder.</p> <p>Finally, if the autorun overkill process was not enough, the malware grabs the user’s desktop using the <i>SHGetSpecialFolderPathW </i>API call, and makes the shortcuts point to the loader itself. It opens each shortcut location, renaming the target by prefixing the application’s name with an underscore, ultimately renaming itself as the original application, copied to the destination folder.</p> <p><img src="https://www.cybereason.com/hs-fs/hubfs/Bazar-29.png?width=624&name=Bazar-29.png" alt="Bazar-29" width="624" style="width: 624px; display: block; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/Bazar-29.png?width=312&name=Bazar-29.png 312w, https://www.cybereason.com/hs-fs/hubfs/Bazar-29.png?width=624&name=Bazar-29.png 624w, https://www.cybereason.com/hs-fs/hubfs/Bazar-29.png?width=936&name=Bazar-29.png 936w, https://www.cybereason.com/hs-fs/hubfs/Bazar-29.png?width=1248&name=Bazar-29.png 1248w, https://www.cybereason.com/hs-fs/hubfs/Bazar-29.png?width=1560&name=Bazar-29.png 1560w, https://www.cybereason.com/hs-fs/hubfs/Bazar-29.png?width=1872&name=Bazar-29.png 1872w" sizes="(max-width: 624px) 100vw, 624px"></p> <p style="font-size: 16px; text-align: center;">The legitimate Firefox application is modified so that another copy of the loader can execute.</p> <p>For example, the screenshot above shows that <i>_firefox.exe</i> is the original application, while <i>firefox.exe</i> is actually a copy of the Bazar loader. This is confirmed after retrieving the files’ hashes.</p> <p><img src="https://www.cybereason.com/hs-fs/hubfs/Bazar-30.png?width=623&name=Bazar-30.png" alt="Bazar-30" width="623" style="width: 623px; display: block; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/Bazar-30.png?width=312&name=Bazar-30.png 312w, https://www.cybereason.com/hs-fs/hubfs/Bazar-30.png?width=623&name=Bazar-30.png 623w, https://www.cybereason.com/hs-fs/hubfs/Bazar-30.png?width=935&name=Bazar-30.png 935w, https://www.cybereason.com/hs-fs/hubfs/Bazar-30.png?width=1246&name=Bazar-30.png 1246w, https://www.cybereason.com/hs-fs/hubfs/Bazar-30.png?width=1558&name=Bazar-30.png 1558w, https://www.cybereason.com/hs-fs/hubfs/Bazar-30.png?width=1869&name=Bazar-30.png 1869w" sizes="(max-width: 623px) 100vw, 623px"></p> <p style="font-size: 16px; text-align: center;">Hashing both malicious loader copy and legitimate Firefox applications.</p> <p>Another small binary file is created in the folder with a <i>.bin</i> extension, containing more encrypted data.</p> <a id="new-operational-bazar-loader" data-hs-anchor="true"></a> <h3>The New Operational Bazar Loader</h3> <p>A new version of the Bazar loader emerged at  the beginning of June 2020. The files submitted to VirusTotal share the same fake certificate: “RESURS-RM OOO”. While some functionality remains similar to the older operational variant (such as the mutex, the downloaded payload decryption routine, the persistence mechanism etc.), there are some new features in this new variant.</p> <p>One noticeable feature is the evasive API-Hammering technique, that was also seen recently in a new <a href="https://www.joesecurity.org/blog/498839998833561473" rel="noopener" target="_blank">Trickbot variant</a>. In this case, the usage of 1550 calls to printf is intended to overload sandbox analysis with junk data and delay execution, since it logs API calls.</p> <p><img src="https://www.cybereason.com/hs-fs/hubfs/bazar-blog-new-screenshot.png?width=508&name=bazar-blog-new-screenshot.png" alt="bazar-blog-new-screenshot" width="508" style="width: 508px; display: block; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/bazar-blog-new-screenshot.png?width=254&name=bazar-blog-new-screenshot.png 254w, https://www.cybereason.com/hs-fs/hubfs/bazar-blog-new-screenshot.png?width=508&name=bazar-blog-new-screenshot.png 508w, https://www.cybereason.com/hs-fs/hubfs/bazar-blog-new-screenshot.png?width=762&name=bazar-blog-new-screenshot.png 762w, https://www.cybereason.com/hs-fs/hubfs/bazar-blog-new-screenshot.png?width=1016&name=bazar-blog-new-screenshot.png 1016w, https://www.cybereason.com/hs-fs/hubfs/bazar-blog-new-screenshot.png?width=1270&name=bazar-blog-new-screenshot.png 1270w, https://www.cybereason.com/hs-fs/hubfs/bazar-blog-new-screenshot.png?width=1524&name=bazar-blog-new-screenshot.png 1524w" sizes="(max-width: 508px) 100vw, 508px"></p> <p style="text-align: center; font-size: 16px;">Bazar loader’s API-Hammering technique.</p> <p>Another noticeable difference in the new variant is the change to the initial shellcode decryption routine, though it uses the familiar VirtualAllocExNuma routine.</p> <p><img src="https://www.cybereason.com/hs-fs/hubfs/Bazar-31.png?width=739&name=Bazar-31.png" alt="Bazar-31" width="739" style="width: 739px; display: block; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/Bazar-31.png?width=370&name=Bazar-31.png 370w, https://www.cybereason.com/hs-fs/hubfs/Bazar-31.png?width=739&name=Bazar-31.png 739w, https://www.cybereason.com/hs-fs/hubfs/Bazar-31.png?width=1109&name=Bazar-31.png 1109w, https://www.cybereason.com/hs-fs/hubfs/Bazar-31.png?width=1478&name=Bazar-31.png 1478w, https://www.cybereason.com/hs-fs/hubfs/Bazar-31.png?width=1848&name=Bazar-31.png 1848w, https://www.cybereason.com/hs-fs/hubfs/Bazar-31.png?width=2217&name=Bazar-31.png 2217w" sizes="(max-width: 739px) 100vw, 739px"></p> <p style="font-size: 16px; text-align: center;">Initial routine before the shellcode decryption.</p> <p>This variant is using what seems to be a custom RC4 algorithm with the following key.</p> <p><img src="https://www.cybereason.com/hs-fs/hubfs/Bazar-32.png?width=339&name=Bazar-32.png" alt="Bazar-32" width="339" style="width: 339px; display: block; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/Bazar-32.png?width=170&name=Bazar-32.png 170w, https://www.cybereason.com/hs-fs/hubfs/Bazar-32.png?width=339&name=Bazar-32.png 339w, https://www.cybereason.com/hs-fs/hubfs/Bazar-32.png?width=509&name=Bazar-32.png 509w, https://www.cybereason.com/hs-fs/hubfs/Bazar-32.png?width=678&name=Bazar-32.png 678w, https://www.cybereason.com/hs-fs/hubfs/Bazar-32.png?width=848&name=Bazar-32.png 848w, https://www.cybereason.com/hs-fs/hubfs/Bazar-32.png?width=1017&name=Bazar-32.png 1017w" sizes="(max-width: 339px) 100vw, 339px"></p> <p style="font-size: 16px; text-align: center;">The key used for the shellcode decryption.</p> <p>Once the code is decrypted, it is clear that there are actually two payloads inside of it. The first payload serves as a loader for the second DLL payload.</p> <p><img src="https://www.cybereason.com/hs-fs/hubfs/Bazar-33.png?width=434&name=Bazar-33.png" alt="Bazar-33" width="434" style="width: 434px; display: block; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/Bazar-33.png?width=217&name=Bazar-33.png 217w, https://www.cybereason.com/hs-fs/hubfs/Bazar-33.png?width=434&name=Bazar-33.png 434w, https://www.cybereason.com/hs-fs/hubfs/Bazar-33.png?width=651&name=Bazar-33.png 651w, https://www.cybereason.com/hs-fs/hubfs/Bazar-33.png?width=868&name=Bazar-33.png 868w, https://www.cybereason.com/hs-fs/hubfs/Bazar-33.png?width=1085&name=Bazar-33.png 1085w, https://www.cybereason.com/hs-fs/hubfs/Bazar-33.png?width=1302&name=Bazar-33.png 1302w" sizes="(max-width: 434px) 100vw, 434px"></p> <p style="font-size: 16px; text-align: center;">The first PE loads the second one with the export function “StartFunc”.</p> <p>Offset <i>0x180004000</i> holds the second DLL.</p> <p><img src="https://www.cybereason.com/hs-fs/hubfs/Bazar-34.png?width=491&name=Bazar-34.png" alt="Bazar-34" width="491" style="width: 491px; display: block; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/Bazar-34.png?width=246&name=Bazar-34.png 246w, https://www.cybereason.com/hs-fs/hubfs/Bazar-34.png?width=491&name=Bazar-34.png 491w, https://www.cybereason.com/hs-fs/hubfs/Bazar-34.png?width=737&name=Bazar-34.png 737w, https://www.cybereason.com/hs-fs/hubfs/Bazar-34.png?width=982&name=Bazar-34.png 982w, https://www.cybereason.com/hs-fs/hubfs/Bazar-34.png?width=1228&name=Bazar-34.png 1228w, https://www.cybereason.com/hs-fs/hubfs/Bazar-34.png?width=1473&name=Bazar-34.png 1473w" sizes="(max-width: 491px) 100vw, 491px"></p> <p style="font-size: 16px; text-align: center;">The second DLL.</p> <p>Once loaded, the second DLL’s <i>StartFunc</i> starts a loop by calling <i>GetMessageA</i> to retrieve Windows messages and runs the main activity method.</p> <p><img src="https://www.cybereason.com/hs-fs/hubfs/Bazar-35.png?width=600&name=Bazar-35.png" alt="Bazar-35" width="600" style="width: 600px; display: block; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/Bazar-35.png?width=300&name=Bazar-35.png 300w, https://www.cybereason.com/hs-fs/hubfs/Bazar-35.png?width=600&name=Bazar-35.png 600w, https://www.cybereason.com/hs-fs/hubfs/Bazar-35.png?width=900&name=Bazar-35.png 900w, https://www.cybereason.com/hs-fs/hubfs/Bazar-35.png?width=1200&name=Bazar-35.png 1200w, https://www.cybereason.com/hs-fs/hubfs/Bazar-35.png?width=1500&name=Bazar-35.png 1500w, https://www.cybereason.com/hs-fs/hubfs/Bazar-35.png?width=1800&name=Bazar-35.png 1800w" sizes="(max-width: 600px) 100vw, 600px"></p> <p style="font-size: 16px; text-align: center;">StartFunc main activity method.</p> <p>Another interesting finding is that Bazar Loader has now implemented a <a href="https://en.wikipedia.org/wiki/Domain_generation_algorithm">Domain Generation Algorithm</a> using the current date as a seed. At the moment, it seems more of a backup, since in monitored live cases the IPs were contacted directly.</p> <p><img src="https://www.cybereason.com/hs-fs/hubfs/Bazar-36.png?width=814&name=Bazar-36.png" alt="Bazar-36" width="814" style="width: 814px; display: block; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/Bazar-36.png?width=407&name=Bazar-36.png 407w, https://www.cybereason.com/hs-fs/hubfs/Bazar-36.png?width=814&name=Bazar-36.png 814w, https://www.cybereason.com/hs-fs/hubfs/Bazar-36.png?width=1221&name=Bazar-36.png 1221w, https://www.cybereason.com/hs-fs/hubfs/Bazar-36.png?width=1628&name=Bazar-36.png 1628w, https://www.cybereason.com/hs-fs/hubfs/Bazar-36.png?width=2035&name=Bazar-36.png 2035w, https://www.cybereason.com/hs-fs/hubfs/Bazar-36.png?width=2442&name=Bazar-36.png 2442w" sizes="(max-width: 814px) 100vw, 814px"></p> <p style="font-size: 16px; text-align: center;">Bazar Loader’s DGA implementation.</p> <p>All of the generated domains are still under the <i>bazar</i> suffix.</p> <p><img src="https://www.cybereason.com/hs-fs/hubfs/Bazar-37.png?width=482&name=Bazar-37.png" alt="Bazar-37" width="482" style="width: 482px; display: block; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/Bazar-37.png?width=241&name=Bazar-37.png 241w, https://www.cybereason.com/hs-fs/hubfs/Bazar-37.png?width=482&name=Bazar-37.png 482w, https://www.cybereason.com/hs-fs/hubfs/Bazar-37.png?width=723&name=Bazar-37.png 723w, https://www.cybereason.com/hs-fs/hubfs/Bazar-37.png?width=964&name=Bazar-37.png 964w, https://www.cybereason.com/hs-fs/hubfs/Bazar-37.png?width=1205&name=Bazar-37.png 1205w, https://www.cybereason.com/hs-fs/hubfs/Bazar-37.png?width=1446&name=Bazar-37.png 1446w" sizes="(max-width: 482px) 100vw, 482px"></p> <p style="font-size: 16px; text-align: center;">Generated Bazar domains.</p> <p>Other more minor (but significant for detection) changes include:</p> <ul> <li>Connecting to the C2 using only HTTPS</li> <li>User-Agent name was changed to <i>dbcutwq </i>or <i>user_agent</i></li> <li>A new cookie: group=1</li> <li><i>_lyrt </i>suffix that was used to check the malware’s presence on the machine now changed to <i>_fgqw</i></li> </ul> <a id="early-development-backdoor" data-hs-anchor="true"></a> <h3>The Early Development Backdoor (Team9)</h3> <p>The Cybereason Nocturnus team has identified three versions of this backdoor since early April this year.Their modus operandi does not differ drastically and can be <a href="#loader-and-backdoor-analyses" rel=" noopener">distinguished by their mutexes</a> and obfuscation level. </p> <p>Data collected from the infected machine  is hashed using the MD5 algorithm set in the <i>CryptCreateHash</i> API call by setting the <a href="https://docs.microsoft.com/en-us/windows/win32/seccrypto/alg-id">ALG_ID</a> to 0x8003, and then appended to the mutex name.</p> <p><img src="https://www.cybereason.com/hs-fs/hubfs/Bazar-38.png?width=624&name=Bazar-38.png" alt="Bazar-38" width="624" style="width: 624px; display: block; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/Bazar-38.png?width=312&name=Bazar-38.png 312w, https://www.cybereason.com/hs-fs/hubfs/Bazar-38.png?width=624&name=Bazar-38.png 624w, https://www.cybereason.com/hs-fs/hubfs/Bazar-38.png?width=936&name=Bazar-38.png 936w, https://www.cybereason.com/hs-fs/hubfs/Bazar-38.png?width=1248&name=Bazar-38.png 1248w, https://www.cybereason.com/hs-fs/hubfs/Bazar-38.png?width=1560&name=Bazar-38.png 1560w, https://www.cybereason.com/hs-fs/hubfs/Bazar-38.png?width=1872&name=Bazar-38.png 1872w" sizes="(max-width: 624px) 100vw, 624px"></p> <p style="font-size: 16px; text-align: center;">Gathering and hashing data about the infected machine.</p> <p>After successfully gathering the data, the Bazar backdoor connects to the C2 server. If the connection fails, it continues to retry. </p> <p>Another interesting aspect of this version is how it uses a local address to fetch the data from the server. Given that this is an early dev version, the author may be using this method for test purposes.</p> <p><img src="https://www.cybereason.com/hs-fs/hubfs/Bazar-39.png?width=676&name=Bazar-39.png" alt="Bazar-39" width="676" style="width: 676px; display: block; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/Bazar-39.png?width=338&name=Bazar-39.png 338w, https://www.cybereason.com/hs-fs/hubfs/Bazar-39.png?width=676&name=Bazar-39.png 676w, https://www.cybereason.com/hs-fs/hubfs/Bazar-39.png?width=1014&name=Bazar-39.png 1014w, https://www.cybereason.com/hs-fs/hubfs/Bazar-39.png?width=1352&name=Bazar-39.png 1352w, https://www.cybereason.com/hs-fs/hubfs/Bazar-39.png?width=1690&name=Bazar-39.png 1690w, https://www.cybereason.com/hs-fs/hubfs/Bazar-39.png?width=2028&name=Bazar-39.png 2028w" sizes="(max-width: 676px) 100vw, 676px"></p> <p style="font-size: 16px; text-align: center;">Possible testing environment of the Bazar author. </p> <p>After successfully gathering the data and connecting to the C2 server, the backdoor parses the command received in the HTTP response. Each char of the command is XORed with the next char in the generated MD5 string.</p> <p><img src="https://www.cybereason.com/hs-fs/hubfs/Bazar-40.png?width=553&name=Bazar-40.png" alt="Bazar-40" width="553" style="width: 553px; display: block; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/Bazar-40.png?width=277&name=Bazar-40.png 277w, https://www.cybereason.com/hs-fs/hubfs/Bazar-40.png?width=553&name=Bazar-40.png 553w, https://www.cybereason.com/hs-fs/hubfs/Bazar-40.png?width=830&name=Bazar-40.png 830w, https://www.cybereason.com/hs-fs/hubfs/Bazar-40.png?width=1106&name=Bazar-40.png 1106w, https://www.cybereason.com/hs-fs/hubfs/Bazar-40.png?width=1383&name=Bazar-40.png 1383w, https://www.cybereason.com/hs-fs/hubfs/Bazar-40.png?width=1659&name=Bazar-40.png 1659w" sizes="(max-width: 553px) 100vw, 553px"></p> <p style="font-size: 16px; text-align: center;">XORing the command retrieved from the C2 with the machine identifier hash.</p> <p>After checking and parsing the XORed data, the backdoor then logs and executes the retrieved command according to the following switch case.</p> <p><img src="https://www.cybereason.com/hs-fs/hubfs/Bazar-41.png?width=494&name=Bazar-41.png" alt="Bazar-41" width="494" style="width: 494px; display: block; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/Bazar-41.png?width=247&name=Bazar-41.png 247w, https://www.cybereason.com/hs-fs/hubfs/Bazar-41.png?width=494&name=Bazar-41.png 494w, https://www.cybereason.com/hs-fs/hubfs/Bazar-41.png?width=741&name=Bazar-41.png 741w, https://www.cybereason.com/hs-fs/hubfs/Bazar-41.png?width=988&name=Bazar-41.png 988w, https://www.cybereason.com/hs-fs/hubfs/Bazar-41.png?width=1235&name=Bazar-41.png 1235w, https://www.cybereason.com/hs-fs/hubfs/Bazar-41.png?width=1482&name=Bazar-41.png 1482w" sizes="(max-width: 494px) 100vw, 494px"></p> <p style="font-size: 16px; text-align: center;">Switch case for the commands received from the C2 server.</p> <p>As seen in the above image, the Bazar backdoor can handle <a href="https://blog.fox-it.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/">quite a few commands</a>. This next section focuses on case <i>1</i>, which retrieves various pieces of additional information on the infected machine. </p> <p>After receiving the value <i>1</i> from the C2 server and parsing the response, the value is mapped to the relevant method for execution.</p> <p><img src="https://www.cybereason.com/hs-fs/hubfs/Bazar-42.png?width=375&name=Bazar-42.png" alt="Bazar-42" width="375" style="width: 375px; display: block; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/Bazar-42.png?width=188&name=Bazar-42.png 188w, https://www.cybereason.com/hs-fs/hubfs/Bazar-42.png?width=375&name=Bazar-42.png 375w, https://www.cybereason.com/hs-fs/hubfs/Bazar-42.png?width=563&name=Bazar-42.png 563w, https://www.cybereason.com/hs-fs/hubfs/Bazar-42.png?width=750&name=Bazar-42.png 750w, https://www.cybereason.com/hs-fs/hubfs/Bazar-42.png?width=938&name=Bazar-42.png 938w, https://www.cybereason.com/hs-fs/hubfs/Bazar-42.png?width=1125&name=Bazar-42.png 1125w" sizes="(max-width: 375px) 100vw, 375px"></p> <p style="font-size: 16px; text-align: center;">The methods and mapped values as seen in memory. </p> <p>The corresponding method to the value <i>1 </i>is <i>0x3fab15b0</i> in this instance. This method collects additional data from the infected machine, such as its public IP address, computer name, and the installed Windows version.</p> <p><img src="https://www.cybereason.com/hs-fs/hubfs/Bazar-43.png?width=831&name=Bazar-43.png" alt="Bazar-43" width="831" style="width: 831px; display: block; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/Bazar-43.png?width=416&name=Bazar-43.png 416w, https://www.cybereason.com/hs-fs/hubfs/Bazar-43.png?width=831&name=Bazar-43.png 831w, https://www.cybereason.com/hs-fs/hubfs/Bazar-43.png?width=1247&name=Bazar-43.png 1247w, https://www.cybereason.com/hs-fs/hubfs/Bazar-43.png?width=1662&name=Bazar-43.png 1662w, https://www.cybereason.com/hs-fs/hubfs/Bazar-43.png?width=2078&name=Bazar-43.png 2078w, https://www.cybereason.com/hs-fs/hubfs/Bazar-43.png?width=2493&name=Bazar-43.png 2493w" sizes="(max-width: 831px) 100vw, 831px"></p> <p style="font-size: 16px; text-align: center;">Gathering additional information about the infected machine.</p> <p>It then performs a WMI query to retrieve information about the antivirus engine installed on the machine.</p> <p><img src="https://www.cybereason.com/hs-fs/hubfs/Bazar-44.png?width=636&name=Bazar-44.png" alt="Bazar-44" width="636" style="width: 636px; display: block; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/Bazar-44.png?width=318&name=Bazar-44.png 318w, https://www.cybereason.com/hs-fs/hubfs/Bazar-44.png?width=636&name=Bazar-44.png 636w, https://www.cybereason.com/hs-fs/hubfs/Bazar-44.png?width=954&name=Bazar-44.png 954w, https://www.cybereason.com/hs-fs/hubfs/Bazar-44.png?width=1272&name=Bazar-44.png 1272w, https://www.cybereason.com/hs-fs/hubfs/Bazar-44.png?width=1590&name=Bazar-44.png 1590w, https://www.cybereason.com/hs-fs/hubfs/Bazar-44.png?width=1908&name=Bazar-44.png 1908w" sizes="(max-width: 636px) 100vw, 636px"></p> <p style="font-size: 16px; text-align: center;">WMI query to get information about the installed antivirus engine.</p> <p>Also, the Bazar loader retrieves the installed applications list using the <i>Windows\CurrentVersion\Uninstall</i> registry key.</p> <p><img src="https://www.cybereason.com/hs-fs/hubfs/Bazar-45.png?width=852&name=Bazar-45.png" alt="Bazar-45" width="852" style="width: 852px; display: block; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/Bazar-45.png?width=426&name=Bazar-45.png 426w, https://www.cybereason.com/hs-fs/hubfs/Bazar-45.png?width=852&name=Bazar-45.png 852w, https://www.cybereason.com/hs-fs/hubfs/Bazar-45.png?width=1278&name=Bazar-45.png 1278w, https://www.cybereason.com/hs-fs/hubfs/Bazar-45.png?width=1704&name=Bazar-45.png 1704w, https://www.cybereason.com/hs-fs/hubfs/Bazar-45.png?width=2130&name=Bazar-45.png 2130w, https://www.cybereason.com/hs-fs/hubfs/Bazar-45.png?width=2556&name=Bazar-45.png 2556w" sizes="(max-width: 852px) 100vw, 852px"></p> <p style="font-size: 16px; text-align: center;">Querying the installed programs on the machine.</p> <p>Finally, the loader spawns <i>cmd.exe </i>to perform a series of reconnaissance commands to obtain information about the network and domain.</p> <p><img src="https://www.cybereason.com/hs-fs/hubfs/Bazar-46.png?width=831&name=Bazar-46.png" alt="Bazar-46" width="831" style="width: 831px; display: block; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/Bazar-46.png?width=416&name=Bazar-46.png 416w, https://www.cybereason.com/hs-fs/hubfs/Bazar-46.png?width=831&name=Bazar-46.png 831w, https://www.cybereason.com/hs-fs/hubfs/Bazar-46.png?width=1247&name=Bazar-46.png 1247w, https://www.cybereason.com/hs-fs/hubfs/Bazar-46.png?width=1662&name=Bazar-46.png 1662w, https://www.cybereason.com/hs-fs/hubfs/Bazar-46.png?width=2078&name=Bazar-46.png 2078w, https://www.cybereason.com/hs-fs/hubfs/Bazar-46.png?width=2493&name=Bazar-46.png 2493w" sizes="(max-width: 831px) 100vw, 831px"></p> <p style="font-size: 16px; text-align: center;">cmd.exe running net and nltest tools.</p> <p>Because the malware is a development version, most of the above data is well-documented in its logs.</p> <p><img src="https://www.cybereason.com/hs-fs/hubfs/Bazar-47.png?width=808&name=Bazar-47.png" alt="Bazar-47" width="808" style="width: 808px; display: block; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/Bazar-47.png?width=404&name=Bazar-47.png 404w, https://www.cybereason.com/hs-fs/hubfs/Bazar-47.png?width=808&name=Bazar-47.png 808w, https://www.cybereason.com/hs-fs/hubfs/Bazar-47.png?width=1212&name=Bazar-47.png 1212w, https://www.cybereason.com/hs-fs/hubfs/Bazar-47.png?width=1616&name=Bazar-47.png 1616w, https://www.cybereason.com/hs-fs/hubfs/Bazar-47.png?width=2020&name=Bazar-47.png 2020w, https://www.cybereason.com/hs-fs/hubfs/Bazar-47.png?width=2424&name=Bazar-47.png 2424w" sizes="(max-width: 808px) 100vw, 808px"></p> <p style="font-size: 16px; text-align: center;">Team9 backdoor logs.</p> <p>Subsequent network communications use a bot ID hash format reminiscent of the client ID used in <a href="https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware">Anchor campaigns from 2019</a>, an MD5 hash value.</p> <p>As seen in previous Anchor infections, Anchor’s unique identifier generation follows this pattern:</p> <p><strong>[Machine_NAME]_[Windows_Version].[Client_ID]</strong></p> <p>After a machine is infected with Anchor, it uses openNIC resolvers to resolve a Bazar domain  such as toexample[dot]bazar. It then sends bot callbacks with the following information to the remote server in the format shown below: <span><br></span></p> <p><strong>[campaign]/[Machine_NAME]_[Windows_Version].[Client_ID]/[switch]/</strong></p> <p>Meanwhile, the generated Bazar bot ID is an MD5 hash composed of the computer name, creation dates of system folders, and the system drive serial number.</p> <p>The Bazar bot ID is an MD5 hash comprised of host information, including: </p> <ul> <li><strong>[creation date of %WINDIR% in ASCII]</strong></li> </ul> <ul> <li><strong>[creation date of %WINDIR%\system32 in ASCII].</strong></li> </ul> <ul> <li><strong>[NETBIOS_Name]</strong></li> </ul> <ul> <li><strong>[%SYSTEMDRIVE% serial number])</strong></li> </ul> <p>Bazar backdoor communications follow a pattern of the botID and numeric command switch.<br><strong>[botID]/[switch]</strong><br><br>Backdoor callbacks from the infected host to the Bazar domain use the botID and command switch ‘2’ when waiting to receive a new task.</p> <p><img src="https://www.cybereason.com/hs-fs/hubfs/Bazar-48.png?width=839&name=Bazar-48.png" alt="Bazar-48" width="839" style="width: 839px; display: block; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/Bazar-48.png?width=420&name=Bazar-48.png 420w, https://www.cybereason.com/hs-fs/hubfs/Bazar-48.png?width=839&name=Bazar-48.png 839w, https://www.cybereason.com/hs-fs/hubfs/Bazar-48.png?width=1259&name=Bazar-48.png 1259w, https://www.cybereason.com/hs-fs/hubfs/Bazar-48.png?width=1678&name=Bazar-48.png 1678w, https://www.cybereason.com/hs-fs/hubfs/Bazar-48.png?width=2098&name=Bazar-48.png 2098w, https://www.cybereason.com/hs-fs/hubfs/Bazar-48.png?width=2517&name=Bazar-48.png 2517w" sizes="(max-width: 839px) 100vw, 839px"></p> <p style="font-size: 16px; text-align: center;">Network communication from infected host to the .bazar domain with a unique botID.</p> <p>The Bazar backdoor sends a ‘group’ identifier to the remote server along with the botID and the switch to send data or receive commands. As of May 2020, there were two hardcoded groups. These backdoors are associated with cookie group strings “two” and “five”.  Meanwhile, the new loader is associated with the cookie group string, “1”. </p> <p><img src="https://www.cybereason.com/hs-fs/hubfs/Bazar-49.png?width=516&name=Bazar-49.png" alt="Bazar-49" width="516" style="width: 516px; display: block; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/Bazar-49.png?width=258&name=Bazar-49.png 258w, https://www.cybereason.com/hs-fs/hubfs/Bazar-49.png?width=516&name=Bazar-49.png 516w, https://www.cybereason.com/hs-fs/hubfs/Bazar-49.png?width=774&name=Bazar-49.png 774w, https://www.cybereason.com/hs-fs/hubfs/Bazar-49.png?width=1032&name=Bazar-49.png 1032w, https://www.cybereason.com/hs-fs/hubfs/Bazar-49.png?width=1290&name=Bazar-49.png 1290w, https://www.cybereason.com/hs-fs/hubfs/Bazar-49.png?width=1548&name=Bazar-49.png 1548w" sizes="(max-width: 516px) 100vw, 516px"></p> <p style="text-align: center;"><span style="font-size: 16px;">Bazar backdoor “group” identifier sent via HTTP request “cookie” parameter.</span></p> <p>While the URI string has changed from Trickbot and Anchor variants, the phishing tactics and use of post-infection reconnaissance commands remains the same. In the Bazar backdoor, the tag (or <strong>gtag</strong>) used to identify Trickbot campaigns is removed from C2 URIs. It may have been moved to the cookie HTTP header parameter. </p> <p>With Bazar, the infected machine name and Trickbot campaign identifier are no longer sent in the same HTTP requests. Instead, the ‘/api/v{rand}’ URI is sent to retrieve the backdoor from cloud hosted servers after the loader executes. Backdoor communications between the C2 server and the client occur to the .bazar domain using the botID assigned to the infected host.</p> <p>The decoupling of campaign tag and client machine name from the Bazar C2 server is specific to this backdoor. Because bot communications are often quickly terminated after infections are discovered, removing the campaign and client machine name from URIs results in reduced downtime, lowering the need to re-infect a machine. </p> <a id="trickbot-connection" data-hs-anchor="true"></a> <h3>The Trickbot Connection</h3> <p>As we previously stated, the Bazar loader and Bazar backdoor show ties to Trickbot and Anchor malware with signed loaders. Similarities between the three include: </p> <ul> <li>using revoked certificates to sign malware</li> <li>domain reuse (e.g.  machunion[.]com and bakedbuns[.]com)</li> <li>Almost identical decryption routines in the Bazar and Trickbot loaders, including the usage of the same WinAPIs, custom RC4 implementation and the usage of the API-Hammering in the latest loader variant, which is found also in Trickbot.</li> <li>backdoor command-and-control using .bazar domains </li> </ul> <p>The fact that this malware does not infect machines with Russian language support offers a clue to its origins and intended targets.</p> <p>The Bazar loaders are signed with revoked certificates. <a href="https://cybersecurity.att.com/blogs/labs-research/trickbot-bazarloader-in-depth">Previous research</a> shows that the Trickbot group uses revoked certificates to sign files  up to six months after certificate revocation, illustrated by the use of a certificate issued to subject “VB CORPORATE PTY. LTD.” in January 2020. Anchor campaigns from December also used signed Trickbot loader files with filenames related to preview documents. The current revoked certificate used in the new loader variant is issued by “RESURS-RM OOO”.</p> <p>In addition, similar phishing email tactics, Google Drive decoy previews, signed malware, and deceptive file icon use were observed in both of these campaigns. We observed reuse of likely compromised domains to host Bazar loaders that previously served Trickbot loaders. For example, the domain ruths-brownies[dot]com was used in a Trickbot campaign in <a href="https://twitter.com/cyber__sloth/status/1217495240971603968">January</a> and hosted Bazar loaders in <a href="https://twitter.com/pancak3lullz/status/1252303608747565057">April</a> 2020.</p> <p>The Bazar malware has a new command-and-control pattern and botID that differs from Trickbot and Anchor, yet retains historical indicators of both malware families. Finally, the use of Emercoin (.bazar) domains were observed in Trickbot infections delivering Anchor from December 2019. </p> <a id="conclusion" data-hs-anchor="true"></a> <h3>Conclusion</h3> <p>In this writeup, we associate the Bazar loader and Bazar backdoor with the threat actors behind Trickbot and <a href="https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware">our previous research on Anchor and Trickbot</a> from December 2019. Based on our investigation, Cybereason estimates that the new malware family is the latest sophisticated tool in Trickbot gang's arsenal, that so far has been selectively observed on a handful of high-value targets. </p> <p>The Bazar malware is focused on evasion, stealth, and persistence. The malware authors are actively testing a few versions of their malware, trying to obfuscate the code as much as possible, and hiding the final payload while executing it in the context of another process. To further evade detection, the Bazar loader and backdoor use a different network callback scheme from previously seen Trickbot-related malware.  </p> <p>Post-infection, the malware gives threat actors a variety of command and code execution options, along with built-in file upload and self-deletion capabilities. This variety allows attackers to be dynamic while exfiltrating data, installing another payload on the targeted machine, or spreading further on the network. In general, having more options ensures the threat actors can adjust to changes in their goals or victim’s environment.</p> <p>The use of blockchain domains distinguishes the Bazar loader and Bazar backdoor as part of a family of threats that rely on alternate domain name systems such as EmerDNS domains. As we reported in Dropping The Anchor in December 2019, these alternate domain name systems have also been used in Trickbot Anchor campaigns. These systems provide <a href="https://www.fireeye.com/blog/threat-research/2018/04/cryptocurrencies-cyber-crime-blockchain-infrastructure-use.html">bot infrastructure</a> with protection from censorship and resilience to takedowns, making them invaluable for threat actors. </p> <p>The emergence of the first malware variants in April 2020 was followed by an almost 2-months long hiatus, until a new variant was discovered in June 2020. Our research, which covers the evolution of the Bazar malware family, clearly shows that the threat actor took time to re-examine and improve their code, making the malware stealthier. Bazar’s authors changed some of the most detectable characteristics of the previous variant, such as previously hardcoded strings, and modification of the known shellcode decryption routine, similar to what was <a href="https://zero2auto.com/2020/06/22/decrypting-trickbot-crypter/">previously observed</a> in recent Trickbot variants.</p> <p>Although this malware is still in development stages, Cybereason estimates that its latest  improvements and resurfacing can indicate the rise of a new formidable threat once fully ready for production.</p> <a id="mitre-attack-techniques" data-hs-anchor="true"></a> <h3 style="line-height: 2;">MITRE ATT&CK Techniques</h3> <table style="border-color: #99acc2; border-collapse: collapse; table-layout: fixed; width: 787px;" cellpadding="4" border="1"> <tbody> <tr> <td style="background-color: #eeeeee; width: 99px;"> <p><strong>Execution</strong></p> </td> <td style="background-color: #eeeeee; width: 112px;"> <p><strong>Persistence</strong></p> </td> <td style="background-color: #eeeeee; width: 86px;"> <p><strong>Privilege Escalation</strong></p> </td> <td style="background-color: #eeeeee; width: 129px;"> <p><strong>Defense Evasion</strong></p> </td> <td style="background-color: #eeeeee; width: 135px;"> <p><strong>Discovery</strong></p> </td> <td style="background-color: #eeeeee; width: 92px;"> <p><strong>Exfiltration</strong></p> </td> <td style="background-color: #eeeeee; width: 134px;"> <p><strong>Command and Control</strong></p> </td> </tr> <tr> <td style="width: 99px;"> <p><a href="https://attack.mitre.org/techniques/T1106/">Execution Through API</a></p> </td> <td style="width: 112px;"> <p><a href="https://attack.mitre.org/techniques/T1165">Startup Items</a></p> </td> <td style="width: 86px;"> <p><a href="https://attack.mitre.org/techniques/T1165">Startup Items</a></p> </td> <td style="width: 129px;"> <p><a href="https://attack.mitre.org/techniques/T1140/">Deobfuscate / Decode Files or Information</a></p> </td> <td style="width: 135px;"> <p><a href="https://attack.mitre.org/techniques/T1087">Account Discovery</a></p> </td> <td style="width: 92px;"> <p><a href="https://attack.mitre.org/techniques/T1022/">Data Encrypted</a></p> </td> <td style="width: 134px;"> <p><a href="https://attack.mitre.org/techniques/T1043">Commonly Used Port</a></p> </td> </tr> <tr> <td style="width: 99px;"> </td> <td style="width: 112px;"> <p><a href="https://attack.mitre.org/techniques/T1060">Registry Run Keys / Startup Folder</a></p> </td> <td style="width: 86px;"> <p><a href="https://attack.mitre.org/techniques/T1055">Process Injection</a></p> </td> <td style="width: 129px;"> <p><a href="https://attack.mitre.org/techniques/T1036">Masquerading</a></p> </td> <td style="width: 135px;"> <p><a href="https://attack.mitre.org/techniques/T1010">Application Window Discovery</a></p> </td> <td style="width: 92px;"> </td> <td style="width: 134px;"> <p><a href="https://attack.mitre.org/techniques/T1105">Remote File Copy</a></p> </td> </tr> <tr> <td style="width: 99px;"> </td> <td style="width: 112px;"> </td> <td style="width: 86px;"> </td> <td style="width: 129px;"> <p><a href="https://attack.mitre.org/techniques/T1112">Modify Registry</a></p> </td> <td style="width: 135px;"> <p><a href="https://attack.mitre.org/techniques/T1083/">File and Directory Discovery</a></p> </td> <td style="width: 92px;"> </td> <td style="width: 134px;"> <p><a href="https://attack.mitre.org/techniques/T1071">Standard Application Layer Protocol</a></p> </td> </tr> <tr> <td style="width: 99px;"> </td> <td style="width: 112px;"> </td> <td style="width: 86px;"> </td> <td style="width: 129px;"> <p><a href="https://attack.mitre.org/techniques/T1027">Obfuscated Files or Information</a></p> </td> <td style="width: 135px;"> <p><a href="https://attack.mitre.org/techniques/T1057">Process Discovery</a></p> </td> <td style="width: 92px;"> </td> <td style="width: 134px;"> <p><a href="https://attack.mitre.org/techniques/T1032">Standard Cryptographic Protocol</a></p> </td> </tr> <tr> <td style="width: 99px;"> </td> <td style="width: 112px;"> </td> <td style="width: 86px;"> </td> <td style="width: 129px;"> <p><a href="https://attack.mitre.org/techniques/T1186/">Process Doppelgȁnging</a></p> </td> <td style="width: 135px;"> <p><a href="https://attack.mitre.org/techniques/T1012">Query Registry</a></p> </td> <td style="width: 92px;"> </td> <td style="width: 134px;"> <p><a href="https://attack.mitre.org/techniques/T1095">Standard Non-Application Layer Protocol</a></p> </td> </tr> <tr> <td style="width: 99px;"> </td> <td style="width: 112px;"> </td> <td style="width: 86px;"> </td> <td style="width: 129px;"> <p><a href="https://attack.mitre.org/techniques/T1093/">Process Hollowing</a></p> </td> <td style="width: 135px;"> <p><a href="https://attack.mitre.org/techniques/T1018">Remote System Discovery</a></p> </td> <td style="width: 92px;"> </td> <td style="width: 134px;"> </td> </tr> <tr> <td style="width: 99px;"> </td> <td style="width: 112px;"> </td> <td style="width: 86px;"> </td> <td style="width: 129px;"> <p><a href="https://attack.mitre.org/techniques/T1055/">Process Injection</a></p> </td> <td style="width: 135px;"> <p><a href="https://attack.mitre.org/techniques/T1063/">Security Software Discovery</a></p> </td> <td style="width: 92px;"> </td> <td style="width: 134px;"> </td> </tr> <tr> <td style="width: 99px;"> </td> <td style="width: 112px;"> </td> <td style="width: 86px;"> </td> <td style="width: 129px;"> </td> <td style="width: 135px;"> <p><a href="https://attack.mitre.org/techniques/T1082/">System Information Discovery</a></p> </td> <td style="width: 92px;"> </td> <td style="width: 134px;"> </td> </tr> <tr> <td style="width: 99px;"> </td> <td style="width: 112px;"> </td> <td style="width: 86px;"> </td> <td style="width: 129px;"> </td> <td style="width: 135px;"> <p><a href="https://attack.mitre.org/techniques/T1124">System Time Discovery</a></p> </td> <td style="width: 92px;"> </td> <td style="width: 134px;"> </td> </tr> <tr> <td style="width: 99px;"> </td> <td style="width: 112px;"> </td> <td style="width: 86px;"> </td> <td style="width: 129px;"> </td> <td style="width: 135px;"> <p><a href="https://attack.mitre.org/techniques/T1033">System Owner / User Discovery</a></p> </td> <td style="width: 92px;"> </td> <td style="width: 134px;"> </td> </tr> </tbody> </table> <h3> </h3> <a id="IOCs" data-hs-anchor="true"></a> <h3>Indicators of Compromise</h3> <p><a href="/hubfs/A%20Bazar%20of%20Tricks%20Following%20Team9%E2%80%99s%20Development%20Cycles%20IOCs.pdf" rel="noopener" target="_blank">Click here to download this campaign's IOCs (PDF)</a></p></span>    <div class="cr-blog-post__social-sharing"> <span>Share</span> <div id="hs_cos_wrapper_module_161724375084957" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module widget-type-social_sharing" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"> <div class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_social_sharing" data-hs-cos-general-type="widget" data-hs-cos-type="social_sharing"> <a href="https://twitter.com/intent/tweet?original_referer=https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles&utm_medium=social&utm_source=twitter&url=https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles&utm_medium=social&utm_source=twitter&source=tweetbutton&text=" target="_blank" rel="noopener" style="width:16px;"> <img src="https://www.cybereason.com/hubfs/dam/images/images-web/blog-images/template-images/twitter-gray.svg" class="hs-image-widget hs-image-social-sharing-24" style="height:16px;width:16px;" width="16" hspace="0" alt="Share on twitter"> </a> <a href="http://www.facebook.com/share.php?u=https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles&utm_medium=social&utm_source=facebook" target="_blank" rel="noopener" style="width:16px;"> <img src="https://www.cybereason.com/hubfs/dam/images/images-web/blog-images/template-images/facebook-gray.svg" class="hs-image-widget hs-image-social-sharing-24" style="height:16px;width:16px;" width="16" hspace="0" alt="Share on facebook"> </a> <a href="http://www.linkedin.com/shareArticle?mini=true&url=https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles&utm_medium=social&utm_source=linkedin" target="_blank" rel="noopener" style="width:16px;"> <img src="https://www.cybereason.com/hubfs/dam/images/images-web/blog-images/template-images/linkedin-gray.svg" class="hs-image-widget hs-image-social-sharing-24" style="height:16px;width:16px;" width="16" hspace="0" alt="Share on linkedin"> </a> </div></div> </div>  <div class="container columns cr-mln__author-listing-single"> <div class="column headshot is-3-full-hd is-3-desktop is-3-tablet is-12-mobile"> <img class="cr-speaker-headshot" src="https://www.cybereason.com/hubfs/CR_Owl_Web_Mono@3x%202.png" alt="Cybereason Nocturnus"> </div> <div class="column is-9-full-hd is-9-desktop is-12-mobile"> <span class="descriptor">About the Author</span> <h4>Cybereason Nocturnus</h4> <a class="social" href="https://www.linkedin.com/company/cybereason" target="_blank"> <img src="https://www.cybereason.com/hubfs/dam/images/images-web/blog-images/template-images/icon-social-gray-linkedin.png"> </a> <a class="social" href="https://twitter.com/cr_nocturnus" target="_blank"> <img src="https://www.cybereason.com/hubfs/dam/images/images-web/blog-images/template-images/icon-social-gray-twitter.svg"> </a> <p>The Cybereason Nocturnus Team has brought the world’s brightest minds from the military, government intelligence, and enterprise security to uncover emerging threats across the globe. They specialize in analyzing new attack methodologies, reverse-engineering malware, and exposing unknown system vulnerabilities. The Cybereason Nocturnus Team was the first to release a vaccination for the 2017 NotPetya and Bad Rabbit cyberattacks.</p> <a class="cr-button cr-button__min" href="https://www.cybereason.com/blog/authors/cybereason-nocturnus">All Posts by Cybereason Nocturnus</a> </div> </div>       <div id="hs_cos_wrapper_module_1649342860525315" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"> <section class="cr-section related-posts__wrapper"> <div class="container container-is-blog page-center"> <h3>Related Posts</h3> <div class="columns is-multiline"> <div class="column is-6-fullhd is-6-desktop is-full-mobile blog-listing__single-post"> <div class="text-content-bundle"> <a href="https://www.cybereason.com/blog/threat-analysis-report-from-shatak-emails-to-the-conti-ransomware"><img src="https://www.cybereason.com/hubfs/Threat%20Alert%20template%20%284%29.png" alt="THREAT ANALYSIS REPORT: From Shathak Emails to the Conti Ransomware"></a> <h4><a href="https://www.cybereason.com/blog/threat-analysis-report-from-shatak-emails-to-the-conti-ransomware"><span class="underline">THREAT ANALYSIS REPORT: From Shathak Emails to the Conti Ransomware</span></a></h4> <p>The ITG23 group is partnering with the TA551 (Shatak) threat group to distribute ITG23’s TrickBot and BazarBackdoor malware which attackers use to deploy Conti ransomware on compromised systems...</p> </div> </div> <div class="column is-6-fullhd is-6-desktop is-full-mobile blog-listing__single-post"> <div class="text-content-bundle"> <a href="https://www.cybereason.com/blog/i-am-goot-loader"><img src="https://www.cybereason.com/hubfs/dam/images/images-web/featured-images/goot-loader-blog-featured.png" alt="I am Goot (Loader)"></a> <h4><a href="https://www.cybereason.com/blog/i-am-goot-loader"><span class="underline">I am Goot (Loader)</span></a></h4> <p>In this Threat Analysis report, Cybereason Security Services investigate the rising activity of the malware GootLoader. GootLoader is a malware loader known to abuse JavaScript to download post-exploitation malware/tools and persist within the infected machine.</p> </div> </div> </div> </div> </section></div> </div>  <div class="column is-3-fullhd is-3-desktop is-12-mobile cr-malicious-life-network__sidebar"> <div class="cr-ml-sidebar--group"> <div class="top-stripe"></div> <div class="sidebar-block search-section"> <form action="/hs-search-results"> <input type="search" class="hs-search-field__input" name="term" autocomplete="on" placeholder="Search"> <input type="hidden" name="type" value="BLOG_POST"> <input type="hidden" name="type" value="LISTING_PAGE"> <button type="submit" class="arrow"></button> </form> </div> <div class="sidebar-block subscribe"> <a href="#blog-subscribe"> <h4>Subscribe</h4> <span>Never miss a blog.</span> </a> </div> <div class="sidebar-block recent-posts"> <h4>Recent Posts</h4> <div class="recent-posts__single-post"> <div class="text-content-bundle"> <a href="https://www.cybereason.com/blog/cybereason-merges-with-trustwave" class="post-name"><span class="underline">Cybereason Merges with Trustwave, Enhances MDR and Consulting Services</span></a> </div> </div> <div class="recent-posts__single-post"> <div class="text-content-bundle"> <a href="https://www.cybereason.com/blog/insourcing-versus-outsourcing" class="post-name"><span class="underline">Insourcing versus Outsourcing</span></a> </div> </div> <div class="recent-posts__single-post"> <div class="text-content-bundle"> <a href="https://www.cybereason.com/blog/unlocking-the-potential-of-ai-in-cybersecurity-embracing-the-future-and-its-complexities" class="post-name"><span class="underline">Unlocking the Potential of AI in Cybersecurity: Embracing the Future and Its Complexities</span></a> </div> </div> </div> <div class="sidebar-block category-listing"> <h4>Categories</h4> <ul> <li><a href="https://www.cybereason.com/blog/category/research">Research</a></li> <li><a href="https://www.cybereason.com/blog/category/podcasts">Podcasts</a></li> <li><a href="https://www.cybereason.com/blog/category/webinars">Webinars</a></li> <li><a href="https://www.cybereason.com/blog/category/resources">Resources</a></li> <li><a href="https://www.cybereason.com/blog/category/videos">Videos</a></li> <li><a href="https://www.cybereason.com/blog/category/news">News</a></li> </ul> <a class="rec-category__single--view-all" href="/blog/category/research">All Posts</a> </div> </div> </div> </div> </div> </div></div> </div> </div> <div class="row-fluid-wrapper row-depth-1 row-number-2 "> <div class="row-fluid "> <div class="span12 widget-span widget-type-custom_widget " style="display: none;" data-widget-type="custom_widget" data-x="0" data-w="12"> <div id="hs_cos_wrapper_module_1616011887658867" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"> <section class="cr-section related-posts__wrapper"> <div class="container container-is-blog page-center"> <h3>Related Posts</h3> <div class="columns is-multiline"> <div class="column is-6-fullhd is-6-desktop is-full-mobile blog-listing__single-post"> <div class="text-content-bundle"> <a href="https://www.cybereason.com/blog/threat-analysis-report-from-shatak-emails-to-the-conti-ransomware"><img src="https://www.cybereason.com/hubfs/Threat%20Alert%20template%20%284%29.png" alt="THREAT ANALYSIS REPORT: From Shathak Emails to the Conti Ransomware"></a> <h4><a href="https://www.cybereason.com/blog/threat-analysis-report-from-shatak-emails-to-the-conti-ransomware"><span class="underline">THREAT ANALYSIS REPORT: From Shathak Emails to the Conti Ransomware</span></a></h4> <p>The ITG23 group is partnering with the TA551 (Shatak) threat group to distribute ITG23’s TrickBot and BazarBackdoor malware which attackers use to deploy Conti ransomware on compromised systems...</p> </div> </div> <div class="column is-6-fullhd is-6-desktop is-full-mobile blog-listing__single-post"> <div class="text-content-bundle"> <a href="https://www.cybereason.com/blog/i-am-goot-loader"><img src="https://www.cybereason.com/hubfs/dam/images/images-web/featured-images/goot-loader-blog-featured.png" alt="I am Goot (Loader)"></a> <h4><a href="https://www.cybereason.com/blog/i-am-goot-loader"><span class="underline">I am Goot (Loader)</span></a></h4> <p>In this Threat Analysis report, Cybereason Security Services investigate the rising activity of the malware GootLoader. GootLoader is a malware loader known to abuse JavaScript to download post-exploitation malware/tools and persist within the infected machine.</p> </div> </div> </div> </div> </section></div> </div> </div> </div> <div class="row-fluid-wrapper row-depth-1 row-number-3 "> <div class="row-fluid "> <div class="span12 widget-span widget-type-custom_widget " style="" data-widget-type="custom_widget" data-x="0" data-w="12"> <div id="hs_cos_wrapper_module_161767462015235" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module widget-type-blog_subscribe" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"><div class="cr-mln__blog-listing-page__subscribe-footer"> <div class="container container-is-blog columns page-center"> <div class="column is-8-fullhd is-8-desktop is-10-tablet is-12-mobile"> <span class="tag">NEWSLETTER</span> <h3>Never miss a blog</h3> <p>Get the latest research, expert insights, and security industry news.</p> <a class="cr-button cr-mln__subscribe" href="#blog-subscribe">Subscribe</a> </div>  </div> </div></div> </div> </div> </div> <div class="row-fluid-wrapper row-depth-1 row-number-4 "> <div class="row-fluid "> <div class="span12 widget-span widget-type-custom_widget " style="" data-widget-type="custom_widget" data-x="0" data-w="12"> <div id="hs_cos_wrapper_module_166508001252918" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"><div class="cr-sticky-cta-bar bg-black" id="sticky-bar"> <div class="content"> <span>Want to see the Cybereason Defense Platform in action?</span> <a class="cr-button cr-button__fill-yellow" href="https://www.cybereason.com/request-a-demo" target="_blank">Schedule a Demo</a> </div> <div class="close">X</div> </div></div> </div> </div> </div> </div> </div> <div class="footer-container-wrapper"> <div class="footer-container container-fluid"> <div class="row-fluid-wrapper row-depth-1 row-number-1 "> <div class="row-fluid "> <div class="span12 widget-span widget-type-custom_widget " style="" data-widget-type="custom_widget" data-x="0" data-w="12"> <div id="hs_cos_wrapper_module_16036762394194314" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"> <footer class="cr-section cr-footer cr-footer__full"> <div class="container page-center"> <div class="columns"> <div class="column is-6-fullhd is-5-desktop cr-footer__col cr-footer__left"> <div class="cr-footer__Left-logo"> <a href="https://www.cybereason.com"> <img src="https://www.cybereason.com/hubfs/dam/images/images-web/logos/cr-brand/cr-logo-inline--primary-white.png"> </a> </div> </div> <div class="columns column is-6-fullhd is-6-desktop cr-footer__col cr-footer__right"> <div class="cr-footer__links-list column"> <h4>About</h4> <ul> <li><a href="https://www.cybereason.com/company/who-we-are">Who We Are</a> </li><li><a href="https://www.cybereason.com/company/careers">Careers</a>  </li><li><a href="https://www.cybereason.com/company/contact-us">Contact</a> </li></ul> </div> <div class="cr-footer__links-list column"> <h4>Resources</h4> <ul> <li><a href="https://www.cybereason.com/blog">Blog</a></li> <li><a href="https://www.cybereason.com/resources/tag/case-study">Case Studies</a></li> <li><a href="https://www.cybereason.com/resources/tag/webinars">Webinars</a></li> <li><a href="https://www.cybereason.com/resources/tag/white-papers">White Papers</a></li> </ul> </div> <div class="cr-footer__links-list column"> <h4>Platform</h4> <ul> <li><a href="https://www.cybereason.com/platform">Overview</a></li> <li><a href="https://www.cybereason.com/platform/endpoint-prevention">Endpoint Protection</a></li> <li><a href="https://www.cybereason.com/platform/endpoint-detection-response-edr">EDR</a></li> <li><a href="https://www.cybereason.com/platform/managed-detection-response-mdr">MDR</a></li> </ul> </div> </div> </div> </div> <div class="container page-center"> <div class="columns cr-footer__bottom-bar"> <div class="column"> <p>©Cybereason 2024. All Rights Reserved.</p> </div> <div class="column bottom-bar__links"> <ul> <li><a href="https://www.cybereason.com/terms-of-use">Terms of Use</a></li> <li><a href="https://www.cybereason.com/privacy-notice">Privacy Notice</a></li> <li><a href="https://www.cybereason.com/ccpa-privacy-request">Do Not Sell</a></li> <li><a href="https://www.cybereason.com/security">Security</a></li>  </ul> </div> <div class="column bottom-bar__social"> <ul> <li><a class="facebook" href="https://www.facebook.com/Cybereason/"></a></li> <li><a class="twitter" href="https://twitter.com/cybereason"></a></li> <li><a class="youtube" href="https://www.youtube.com/channel/UCOm7AaB0HiNH4Phe66sK0Ew"></a></li> <li><a class="linkedin" href="https://www.linkedin.com/company/cybereason"></a></li> <li><a class="instagram" href="https://www.instagram.com/cybereason"></a></li> </ul> </div> </div> </div> </footer></div> </div> </div> </div> </div> </div>  <script defer src="/hs/hsstatic/content-cwv-embed/static-1.1293/embed.js"></script> <script src="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/template_assets/42507089303/1644440411417/__CR_Web_Platform/JS/animatedModal/animatedModal.min.js"></script> <script> var hsVars = hsVars || {}; hsVars['language'] = 'en'; </script> <script src="/hs/hsstatic/cos-i18n/static-1.53/bundles/project.js"></script> <script src="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/module_assets/41681847227/1644941386128/module_41681847227_CR_-_Malicious_Life_Network_--_Tier_One_Header.min.js"></script> <script src="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/module_assets/41682410610/1644941443113/module_41682410610_CR_-_Malicious_Life_Network_--_Main_Hero.min.js"></script> <script src="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/module_assets/43300360745/1724042213858/module_43300360745_CR_-_Malicious_Life_Network_--_Related_Posts.min.js"></script> <script src="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/module_assets/86933076631/1669911113440/module_86933076631_CR_-_Sticky_CTA_Bar.min.js"></script>  <script type="text/javascript"> var _hsq = _hsq || []; _hsq.push(["setContentType", "blog-post"]); _hsq.push(["setCanonicalUrl", "https:\/\/www.cybereason.com\/blog\/research\/a-bazar-of-tricks-following-team9s-development-cycles"]); _hsq.push(["setPageId", "32111010251"]); _hsq.push(["setContentMetadata", { "contentPageId": 32111010251, "legacyPageId": "32111010251", "contentFolderId": null, "contentGroupId": 5272851739, "abTestId": null, "languageVariantId": 32111010251, "languageCode": "en", }]); </script> <script type="text/javascript" id="hs-script-loader" async defer src="/hs/scriptloader/3354902.js"></script>  <script type="text/javascript"> var hsVars = { render_id: "f6b0fa58-8d0d-4d0a-beaa-2938ad049b81", ticks: 1732058080506, page_id: 32111010251, content_group_id: 5272851739, portal_id: 3354902, app_hs_base_url: "https://app.hubspot.com", cp_hs_base_url: "https://cp.hubspot.com", language: "en", analytics_page_type: "blog-post", scp_content_type: "", analytics_page_id: "32111010251", category_id: 3, folder_id: 0, is_hubspot_user: false } </script> <script defer src="/hs/hsstatic/HubspotToolsMenu/static-1.354/js/index.js"></script> <script>if ($('[id^="hs_form"]').length > 0) { var myInterval = setInterval( function() { var myFields = document.getElementsByClassName('hs-input'); if (myFields.length > 0) { clearInterval(myInterval); for (var i = 0; i < myFields.length; i++) { var myField = myFields[i]; var myTagName = myField.tagName.toLowerCase(); if (myTagName == 'input' || myTagName == 'textarea') { if (myField.placeholder != null) { myField.placeholder = myField.placeholder.replace('*', ''); } } else if (myTagName == 'select') { myField.options[0].innerHTML = myField.options[0].innerHTML.replace('*', ''); } } } }, 100); } </script> <div id="fb-root"></div> <script>(function(d, s, id) { var js, fjs = d.getElementsByTagName(s)[0]; if (d.getElementById(id)) return; js = d.createElement(s); js.id = id; js.src = "//connect.facebook.net/en_GB/sdk.js#xfbml=1&version=v3.0"; fjs.parentNode.insertBefore(js, fjs); }(document, 'script', 'facebook-jssdk'));</script> <script>!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0];if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src="https://platform.twitter.com/widgets.js";fjs.parentNode.insertBefore(js,fjs);}}(document,"script","twitter-wjs");</script> <script> function sticky_relocate() { var window_top = $(window).scrollTop(); var div_top = $('#sticky-anchor').offset().top; if (window_top > div_top) { $('#sticky').addClass('stick'); } else { $('#sticky').removeClass('stick'); } } $(function() { $(window).scroll(sticky_relocate); sticky_relocate(); }); </script>  <script type="text/javascript" src="/_Incapsula_Resource?SWJIYLWA=719d34d31c8e3a6e6fffd425f7e032f3&ns=2&cb=163539891" async></script></body></html>