BazarLoader
BazarLoader is a malware loader/backdoor used to establish initial access and deliver follow-on payloads in enterprise intrusions. The content describes it as a loader used to start infection chains by deploying payloads and backdoors from command-and-control infrastructure, and notes that BazarLoader and BazarBackdoor work closely together and may communicate with the same C2 infrastructure. Reported delivery vectors include phishing campaigns with malicious links or attachments, phishing emails linking to actor-controlled Google Drive or other free file-hosting services, macro-enabled Excel documents delivered through the BazarCall social-engineering/call-center campaign, and XLL-based delivery in some commodity malware activity. Once installed, it provides remote access to infected machines and has been used as a common precursor to lateral movement, credential theft, data theft, and ransomware deployment.
The malware is repeatedly associated with the TrickBot/Wizard Spider ecosystem and with ransomware deployment operations including Ryuk and Conti. The content states that actors believed associated with TrickBot began using BazarLoader and BazarBackdoor from approximately early 2020, and that FIN12 shifted initial access away from TrickBot to BazarLoader in September 2020. Mandiant reporting in the content says UNC2053 distributed BazarLoader via malicious email campaigns, after which BazarBackdoor delivered FIN12 Cobalt Strike BEACON payloads. BazarLoader is also described as one of the most commonly used vectors for ransomware deployment, especially in healthcare and other large corporate environments, and is linked in the content to FIN12, UNC1878, Wizard Spider, GOLD ULRICK, and Conti-related operations.
The content ties BazarLoader to campaigns and intrusion chains targeting high-profile corporate networks and healthcare organizations. It is described as being used to gain unauthorized remote access before operators move laterally, steal credentials, harvest unencrypted data, and deploy ransomware. Multiple sources in the content connect BazarLoader-enabled access to Ryuk and Conti ransomware, and ANSSI notes that from mid-September 2020 the BazarLoader-Ryuk infection chain appeared to replace TrickBot-Ryuk chains in some activity. The content also notes use alongside other malware and tooling such as TrickBot, SystemBC, Buer Loader, Zloader, Cobalt Strike, and Anchor.
High-confidence infrastructure details in the content are limited but include references to BazarLoader C2 infrastructure and historical C2 IPs associated with the broader activity cluster: 45.148.10.92, 170.238.117.187, 177.74.232.124, 185.68.93.17, 203.176.135.102, 96.9.73.73, 96.9.77.142, 37.187.3.176, 45.89.127.92, 62.108.35.103, 91.200.103.242, 103.84.238.3, 36.89.106.69, 103.76.169.213, 36.91.87.227, 105.163.17.83, 185.117.73.163, 5.2.78.118, 185.90.61.69, 185.90.61.62, 86.104.194.30, 31.131.21.184, 46.28.64.8, 104.161.32.111, 107.172.140.171, 131.153.22.148, 195.123.240.219, 195.123.242.119, 195.123.242.120, 51.81.113.25, and 74.222.14.27. The content also notes that X.509 certificate subject values observed on later infrastructure were associated with BazarLoader C2s in 2021.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Update (2021-01-15): Microsoft Security Response has issued CVE-2021-43890 in reference to the vulnerability in the App installer process described below. The bug was fixed in the January, 2022 Patch Tuesday release.
"Privileges have been escalated using Mimikatz, Rubeus4 [13], or by exploiting a Zerologon vulnerability (CVE-2020-1472) [26]."
Groups observed using it
4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
After a break in FIN12 activity from late March 2020 to late August 2020, FIN12 resumed operations shifting their reliance for initial access away from TRICKBOT to BAZARLOADER malware in September 2020.
When the BazarCall campaign first started, it was used to distribute the BazarLoader malware but has also begun distributing TrickBot, IcedID, Gozi IFSB, and other malware.
Commentaire : les attaquants impliqués dans l’incident du CHU de Brest seraient donc actifs depuis au moins 2019 et auraient utilisé successivement les rançongiciels Ryuk, Conti, Hive, Nokoyawa et Play. Ils auraient également eu recours aux services du code malveillant BazarLoader entre 2020 et 2021.
The ransomware gang usually gains access to a network through BazarLoader or TrickBot malware infections installed via phishing attacks...
Techniques & procedures
17 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniquesIn instances where FIN12 leveraged UNC2053 for initial access, we observed BAZARLOADER payloads distributed via malicious email campaigns.
The TTPs used to distribute BEACON have significant overlaps with UNC2053 distribution campaigns observed between March 2020 and February 2021, including similar lure themes, phishing emails that contain links to malicious PDFs hosted on Google Documents, and the use of legitimate web services for payload hosting.
The malware marketplace hosted 121 listings across a range of criminal tools... Loaders / Droppers 6 AresLoader, BazarLoader.
Execution
3 techniquesWhen the Excel macros are enabled, the BazarCall malware will be downloaded and executed on the victim's computer.
“They contain links to Google Docs pages of document previews, prompting the victim to download the file… The files concerned are executables signed with revoked certificates…”
When the user enters their customer ID number, the website will automatically prompt the browser to download an Excel document (xls or xlsb). The call center agent will then help the victim open the file and clicking on the 'Enable Content' button to enable malicious macros.
Persistence
1 technique“Bazar activity can be identified by searching the system startup folders and Userinit values under… Winlogon registry key: %APPDATA%\…\Startup\adobe.lnk” / (Ryuk table) “Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder… create a Registry entry…\Run to establish persistence.”
Privilege Escalation
1 technique“Bazar activity can be identified by searching the system startup folders and Userinit values under… Winlogon registry key: %APPDATA%\…\Startup\adobe.lnk” / (Ryuk table) “Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder… create a Registry entry…\Run to establish persistence.”
Stealth
2 techniquesthe attacker simply added individual display properties for the program’s name (“Adobe PDF Component”), publisher (“Adobe Inc.”), and an Adobe Acrobat logo graphic stored in a subfolder.
SecurityFix executable ... downloaded a DLL ... into the %temp% directory and then runs it using regsvr32.exe.
Defense Impairment
1 techniqueFIN12 has frequently leveraged code-signed payloads in their operations.
Collection
1 techniqueBy covering as much ground as possible, attackers can harvest and leak data to their C2 (Command and Control Infrastructure) before deploying ransomware payloads on the network.
Command and Control
5 techniques“BazarLoader downloads from the C2 server… a payload… BazarBackdoor… downloads post-exploitation frameworks, most frequently Cobalt Strike…”
Like many other malware, BazarBackdoor (and its related sibling BazarLoader) communicates over HTTPS
These loaders then downloaded a corresponding BAZARBACKDOOR payload that was used to subsequently deliver a FIN12 BEACON payload.
the malware uses “cookies” in the HTTPS GET or POST headers to transmit information to the server, and receives commands from the C2 in the form of one or more “Set-Cookie” response headers.
The gang seems to focus on high-profile corporate networks, which they compromise by targeting critical devices with BazarLoader or TrickBot malware to gain unauthorized remote access.
Exfiltration
1 techniqueBy covering as much ground as possible, attackers can harvest and leak data to their C2 (Command and Control Infrastructure) before deploying ransomware payloads on the network.
Recent activity
24 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A named loader/dropper listed in the RAMP malware marketplace.
BazarLoader is a loader malware known for using application sideloading techniques, such as leveraging AppX packages staged in common user directories, to gain initial access and deploy additional payloads.
Malware loader referenced as part of the TrickBot/Conti ecosystem used by the group.
Referenced only in infrastructure context (shared X.509 certificate subject previously seen on BazarLoader C2s); no additional technical details provided in this content.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.