{ "id": "a35718a7-fb09-4002-b679-205e8fc7b7f6", "created_at": "2026-04-06T00:14:22.042944Z", "updated_at": "2026-04-10T03:36:11.143276Z", "deleted_at": null, "sha1_hash": "3be23309da96de680c0ff2b08857f274158c0b82", "title": "TrickBot gang template-based metaprogramming Bazar malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4991706, "plain_text": "TrickBot gang template-based metaprogramming Bazar malware\r\nBy Kevin Henson\r\nPublished: 2022-02-02 · Archived: 2026-04-05 17:36:18 UTC\r\nKevin Henson\r\nMalware Reverse Engineer\r\nIBM\r\nMalware authors use various techniques to obfuscate their code and protect against reverse engineering.\r\nTechniques such as control flow obfuscation using Obfuscator-LLVM and encryption are often observed in\r\nmalware samples.\r\nThis post describes a specific technique that involves what is known as metaprogramming, or more specifically\r\ntemplate-based metaprogramming, with a particular focus on its implementation in the Bazar family of malware\r\n(BazarBackdoor/BazarLoader). Bazar is best known for its ties to the cybercrime gang that develops and uses the\r\nTrickBot Trojan. It is a major cybercrime syndicate that is highly active in the online crime arena.\r\nA few words about metaprogramming\r\nMetaprogramming is a technique where programs are designed to analyze or generate new code at runtime.\r\nDevelopers typically use metaprogramming techniques to make their code more efficient, modular and\r\nmaintainable. Template-based metaprogramming incorporates templates that serve as models for code reuse. The\r\ntemplates can be written to handle multiple data types.\r\nFor example, the basic function template shown below can be used to define multiple functions that return the\r\nmaximum of two values such as two numbers or two strings. The type is generalized in the template parameter\r\n\u003ctypename T\u003e, as a result, a and b will be defined based on the usage of the function. One of the “magical”\r\nattributes of templates is that the max() function doesn’t actually exist until it’s called and compiled. For the\r\nexample below, three functions will be created at compile time, one for each call.\r\n//Sample function template\r\n template\u003ctypename T\u003e\r\n T max (T a, T b)\r\n {\r\n // if b \u003c a then yield a else yield b\r\nreturn b \u003c a ? a : b;\r\n }\r\n \r\n // Calls to max()\r\n max(10,5);\r\nhttps://securityintelligence.com/posts/trickbot-gang-template-based-metaprogramming-bazar-malware/\r\nPage 1 of 8\n\nmax(5.5, 8.9);\r\n max(“reverse”, “engineering”);\r\nTemplates can be quite complex; however, this high-level understanding will suffice in grasping how the concept\r\nis used to a malware author’s advantage.\r\nThe latest tech news, backed by expert insights\r\nStay up to date on the most important—and intriguing—industry trends on AI, automation, data and beyond with\r\nthe Think Newsletter, delivered twice weekly. See the IBM Privacy Statement.\r\nMalware development\r\nMalware authors take advantage of the metaprogramming technique to both obfuscate important data and ensure\r\nthat certain elements, such as code patterns and encryption keys, are generated uniquely with each compilation.\r\nThis hinders analysis and makes developing signatures for static detection more difficult because the encryption\r\ncode changes with each compiled sample.\r\nThe key components in metaprogramming used to accomplish this type of obfuscation are the templates and\r\nanother feature called constexpr functions. In simple terms, a constexpr function’s return value is determined at\r\ncompile time.\r\nTo illustrate how this works, the following sections will compare samples compiled from the open-source library\r\nADVobfuscator to Bazar samples found in the wild. The adoption of more advanced programming techniques\r\nwithin the Bazar malware family is especially relevant since the operators of Bazar are highly active in attacks\r\nagainst organizations across the globe.\r\nADVobfuscator\r\nTo get a better understanding of how template programming is utilized with respect to string obfuscation, let’s take\r\na look at two header files from ADVobfuscator. ADVobfuscator is described as an “Obfuscation library based on\r\nC++11/14 and metaprogramming.” The MetaRandom.h and MetaString.h header files from the library are\r\ndiscussed below.\r\nMetaRandom.h\r\nThe MetaRandom.h header file generates a pseudo-random number at compile time. The file implements the\r\nkeyword constexpr in its template classes. The constexpr keyword declares that the value of a function or variable\r\ncan be evaluated at compile time and, in this example, facilitates the generation of a pseudo-random integer seed\r\nbased on the compilation time that is then used to generate a key.\r\nnamespace\r\n {\r\n // I use current (compile time) as a seed\r\n constexpr char time[] = __TIME__; // __TIME__ has the following format: hh:mm:ss in 24-hour time\r\nhttps://securityintelligence.com/posts/trickbot-gang-template-based-metaprogramming-bazar-malware/\r\nPage 2 of 8\n\n// Convert time string (hh:mm:ss) into a number\r\n constexpr int DigitToInt(char c) { return c – ‘0’; }\r\n const int seed = DigitToInt(time[7]) +\r\n DigitToInt(time[6]) * 10 +\r\n DigitToInt(time[4]) * 60 +\r\n DigitToInt(time[3]) * 600 +\r\n DigitToInt(time[1]) * 3600 +\r\n DigitToInt(time[0]) * 36000;\r\n }\r\nFigure 1: Code Block 1 MetaRandom.h\r\nMetaString.h\r\nThe MetaString.h header file consists of versions of a template class named MetaString that represents an\r\nencrypted string. Through template programming, MetaString can encrypt each string with a new algorithm and\r\nkey during compilation of the code. As a result, a sample could be produced with the following string obfuscation:\r\nEach character in the string is XOR encrypted with the same key.\r\nEach character in the string is XOR encrypted with an incrementing key.\r\nThe key is added to each character of the string. As a result, decryption requires subtracting the key from\r\neach character.\r\nHere is a sample MetaString implementation from ADVobfuscator.\r\nThis template defines a MetaString with an algorithm number (N), a key value and a list of indexes. The algorithm\r\nnumber controls which of the three obfuscation methods are used and is determined at compile time.\r\ntemplate\u003cint N, char Key, typename Indexes\u003e\r\nstruct MetaString;\r\nFigure 2: Code Block 2 MetaString.h\r\nThis is a specific implementation of MetaString based on the above template. The algorithm number (N) is 0, K is\r\nthe pseudo-random key and I (Indexes) represent the character index in the string. When the algorithm number 0\r\nis generated at compile time, this implementation is used to obfuscate the string. If the algorithm number 1 is\r\ngenerated, the corresponding implementation is used. ADVobfuscator uses the C++ macro __COUNTER__ to\r\ngenerate the algorithm number.\r\ntemplate\u003cchar K, int… I\u003e\r\n struct MetaString\u003c0, K, Indexes\u003cI…\u003e\u003e\r\n {\r\n // Constructor. Evaluated at compile time.\r\n constexpr ALWAYS_INLINE MetaString(const char* str)\r\nhttps://securityintelligence.com/posts/trickbot-gang-template-based-metaprogramming-bazar-malware/\r\nPage 3 of 8\n\n: key_{ K }, buffer_{ encrypt(str[I], K)… } { }\r\n \r\n // Runtime decryption. Most of the time, inlined\r\n inline const char* decrypt()\r\n {\r\n for (size_t i = 0; i \u003c sizeof…(I); ++i)\r\n buffer_[i] = decrypt(buffer_[i]);\r\n buffer_[sizeof…(I)] = 0;\r\n LOG(“— Implementation #” \u003c\u003c 0 \u003c\u003c ” with key 0x” \u003c\u003c hex(key_));\r\n return const_cast\u003cconst char*\u003e(buffer_);\r\n }\r\n \r\n private:\r\n // Encrypt / decrypt a character of the original string with the key\r\n constexpr char key() const { return key_; }\r\n constexpr char ALWAYS_INLINE encrypt(char c, int k) const { return c ^ k; }\r\n constexpr char decrypt(char c) const { return encrypt(c, key()); }\r\n \r\n volatile int key_; // key. “volatile” is important to avoid uncontrolled over-optimization by t\r\n volatile char buffer_[sizeof…(I) + 1]; // Buffer to store the encrypted string + terminating n\r\n };\r\nFigure 3: Code Block 3 MetaString.h\r\nADVobfuscator samples\r\nInteresting code patterns are observed when samples are built using ADVobfuscator. For example, after compiling\r\nthe Visual Studio project found in the public Github repo, the resulting code shows the characters of the string\r\nbeing moved to the stack, followed by a decryption loop.\r\nThese snippets illustrate the dynamic nature of the library. Each string is obfuscated using one of the three\r\nobfuscation methods previously described. Not only are the methods different, the opcodes — the values in blue,\r\nwhich are commonly used in developing YARA rules — can vary as well for the same obfuscation method. This\r\nmakes developing signatures, parsers and decoders more difficult for analysts. Notably, the same patterns are\r\nobserved in BazarLoader and BazarBackdoor samples.\r\nXOR encryption with the same key\r\nhttps://securityintelligence.com/posts/trickbot-gang-template-based-metaprogramming-bazar-malware/\r\nPage 4 of 8\n\nXOR encryption with an incrementing key\r\nhttps://securityintelligence.com/posts/trickbot-gang-template-based-metaprogramming-bazar-malware/\r\nPage 5 of 8\n\nFigure 4: Compiled ADVobfuscator Exemplar Samples\r\nBazarBackdoor/BazarLoader\r\nBazarLoader and BazarBackdoor are malware families attributed to the TrickBot threat group, a.k.a. ITG23. Both\r\nare written in C++ and compiled for 64bit and 32bit Windows. BazarLoader is known to download and execute\r\nBazarBackdoor, and both use the Emercoin DNS domain (.bazar) when communicating with their C2 servers.\r\nOther attributes of the loader and backdoor include extensive use of API function hashing and string obfuscation\r\nwhere each string is encrypted with varying keys. The string obfuscation methodology implemented in these files\r\nis interesting when compared with the ADVobfuscator samples previously described.\r\nBazar string obfuscation\r\nhttps://securityintelligence.com/posts/trickbot-gang-template-based-metaprogramming-bazar-malware/\r\nPage 6 of 8\n\nThe string obfuscation implemented in variants of BazarLoader and BazarBackdoor is similar to what is\r\nimplemented in ADVobfuscator. For example, the BazarBackdoor sample\r\n189cbe03c6ce7bdb691f915a0ddd05e11adda0d8d83703c037276726f32dff56 detailed in Figure 5 contains a\r\nmodified version of the string obfuscation techniques found in ADVobfuscator. In Figure 5, the string is moved to\r\nthe stack four bytes at a time and the key used in the decryption loop is four bytes.\r\nFigure 5: XOR String Decryption 1\r\nhttps://securityintelligence.com/posts/trickbot-gang-template-based-metaprogramming-bazar-malware/\r\nPage 7 of 8\n\nFigure 6: XOR String Decryption 2\r\nTrickBot and Bazar — Ongoing code evolution\r\nBased on the similarities discovered through the analysis performed by X-Force, it is evident that the authors of\r\nBazarLoader and BazarBackdoor malware utilize template-based metaprogramming. While it is possible to break\r\nthe resulting string obfuscation, the ultimate intent of the malware author is to hinder reverse engineering and\r\nevade signature-based detection. Metaprogramming is just one tool in the threat actors’ toolbox. Understanding\r\nhow these techniques work helps reverse engineers create tools to increase the efficiency of analysis and stay in\r\nstep with the constant threat malware poses.\r\nSource: https://securityintelligence.com/posts/trickbot-gang-template-based-metaprogramming-bazar-malware/\r\nhttps://securityintelligence.com/posts/trickbot-gang-template-based-metaprogramming-bazar-malware/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://securityintelligence.com/posts/trickbot-gang-template-based-metaprogramming-bazar-malware/" ], "report_names": [ "trickbot-gang-template-based-metaprogramming-bazar-malware" ], "threat_actors": [ { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434462, "ts_updated_at": 1775792171, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3be23309da96de680c0ff2b08857f274158c0b82.pdf", "text": "https://archive.orkl.eu/3be23309da96de680c0ff2b08857f274158c0b82.txt", "img": "https://archive.orkl.eu/3be23309da96de680c0ff2b08857f274158c0b82.jpg" } }