Links Discovered Between Bazar and TrickBot

Recently, Trickbot has been found coupling up with another malware family.

The scoop

Since April, the Bazar backdoor has been used against victims in Europe and the U.S. The most affected organizations belong to the healthcare, IT, travel, and logistics sectors. Although the first variants appeared in April, a new sample was spotted in June with improved codes and capabilities.

What should you know about Bazar?

  • The new Bazar loader was first seen at the beginning of June this year, with features such as mutex, downloaded payload decryption routine, and persistence mechanism remaining unchanged.
  • One of the new attributes includes the API-Hammering technique, which has also been observed in a new Trickbot strain.
  • Although the typical VirtualAllocExNuma routine is still used, this variant of the loader uses the initial shellcode decryption routine.
  • Bazar has implemented a Domain Generation Algorithm (DGA) using the current date as a seed.

The Trickbot relation

Both the Bazar backdoor and Bazar loader are tied to Anchor and Trickbot malware with signed loaders. The similarities include:
  • Use of revoked certificates to sign malware.
  • Reuse of domains.
  • Identical decryption routines in Trickbot and Bazar loaders.
  • The backdoor C2 uses [.]bazar domains.

Closing words

The bottom line is that the Bazar loader and backdoor are associated with Trickbot. Researchers estimate that the addition of the Bazar malware family is the latest sophisticated trick up Trickbot’s sleeve, also, proven by the handful of high-value targets. Although the malware is still under development, the latest upgrades signify the rise of a new threat once it is completely ready.