# BazarLoader Mocks Researchers in December 2020 Malspam Campaign **[gosecure.net/blog/2021/02/01/bazarloader-mocks-researchers-in-december-2020-malspam-campaign/](https://www.gosecure.net/blog/2021/02/01/bazarloader-mocks-researchers-in-december-2020-malspam-campaign/)** Lilly Chalupowski February 1, 2021 ## Preface Our Inbox Detection and Response (IDR) team has observed a new BazarLoader campaign targeting the information technology, aeronautic and financial industries. The IDR team has successfully blocked over 550 thousand BazarLoader malspam emails throughout this campaign alone. GoSecure researchers received a sample from the IDR team which was suspected of being BazarLoader, named Report _Preview15-10.exe, on 2020-10-06. Shortly after, GoSecure researchers received yet another BazarLoader sample on 2020-_ _10-08 named Document2-85.exe, which exhibited similar behavior._ ## Analysis The initial infection vector, which has been observed by our Inbox Detection and Response Team (IDR), is via malspam containing fake employment termination notices and anonymous surveys. The threat actor(s) primarily use Google Drive and Google Docs to distribute their malicious payloads. The employment termination malspam was observed on October 6, 2020 and the anonymous survey malspam was observed on October 8, 2020. This can be seen in Figure 1 and Figure 2. _Figure 1: BazarLoader Employment Termination Malspam_ _Figure 2: BazarLoader Fake Anonymous Survey_ We will firstly analyze the employment termination malspam. Once the user clicks the link, they will be redirected to hxxps://docs[.]google[.]com/document/d/e/2PACX1vR_9tGGWDcS1ZyIuiGpMQg2Sv9nRWempyUKuQ1iyJp_HHt1C87OPirnO7EImnOW6ILbrmHXUpl_OIxQ/pub to download an executable ----- The executable Review_Report15 10.exe (3c27fca6d9cf1379eee93e6fea339e61) will appear as a PDF document to users who do not have extensions enabled in Windows, as seen in Figure 3. _Figure 3: Stage 1 PDF Icon Lure_ To help obfuscate its purpose, BazarLoader appears to be bound or obfuscated with legitimate resources from YUVPlayer _(A Lightweight YUV player which supports various YUV formats). An example of this can be seen in Figure 4._ _Figure 4: YUVPlayer Dialog Embedded Resource_ Once executed, the legitimate application or dialogs will not be shown to the user. Instead, it will call ``` advapi32.CryptHashData using the string s_)q03vcOm95^+Rj3dG_Jx@k0GGwYOIddH_14025b520 as the data to create ``` a hash using the `PROV_RSA_FULL Windows cryptographic provider. Once the hash is created, it will create a key using` ``` advapi32.CryptDeriveKey . It will then obtain a handle to the current process for the purpose of allocating memory with PAGE_EXECUTE_READWRITE permissions. The next function is responsible for copying the shellcode from the .data ``` section to the newly allocated memory location. Once the encrypted shellcode has been copied to executable memory, it will then use `advapi32.CryptEncrypt to decrypt the shellcode. Once the shellcode has been successfully decrypted, it` will execute the shellcode. ----- _Figure 5: BazarLoader Shellcode Decryption Routine_ _Figure 6: Executing Stage 1 Decrypted Shellcode_ The shellcode will obtain a handle to `kernel32.LoadLibraryA,` `kernel32.GetProcAddress,` ``` kernel32.VirtualAlloc, kernel32.VirtualProtect and ntdll.ZwFlushInstructionCache, by enumerating the ``` Process Environment Block (PEB) using the instruction `mov rax,qword ptr gs: [60] . This is common with shellcode` as it will need to resolve these APIs dynamically to interact with the Windows operating system. Once completed, it will then call `kernel32.VirtualALloc to prepare injecting a PE executable for the next stage. To` build the PE header, it will use the routine shown in Figure 7. _Figure 7: Prepare Stage 2 PE_ Once PE header has been partially copied (excluding MZ magic value), it will start to copy the `.text section using the` routine shown in Figure 8. ----- _Figure 8: Copy .text Section_ Once the `.text section is copied, it will start resolving many different Windows APIs using` `kernel32.GetProcAddress .` When the additional APIs have been resolved, it will then make the `.text section it copied earlier executable using` ``` kernel32.VirtualProtect, as seen in Figure 9. ``` _Figure 9: Make .text Section Executable_ **NOTE:** _On different debugging sessions the virtual addressing changed during analysis._ ----- Interestingly, the Portable Executable (PE) BazarLoader is copied into memory (without the MZ header) and will start execution at the end of the `.text section using a direct` `call . This can make unpacking the next` stage confusing for reverse engineers as this is not where code in a PE file is supposed to begin. This code at the end of the `.text section is solely responsible for making a call to the real Original Entrypoint (OEP) of the PE. It is important to` note that this is simply used as shellcode and not as a PE in memory. The other benefit of this technique is no calls to thread related APIs are required, making it more challenging for Endpoint Detection and Response (EDR) solutions to detect. This can be seen in Figure 10. _Figure 10: OEP Shellcode/PE Trickery_ After the previous trickery in the new memory space, it will start creating another PE in memory, but this time the header does start with the MZ magic value. After building the headers, it will copy each PE section one at a time, as seen in Figure _11._ _Figure 11: Building .text Section for Stage 2_ Once the PE has been extracted to memory, it will make a direct call instead of using Threading APIs (same trickery as before). This can be seen in Figure 12. _Figure 12: Calling Stage 2 Shellcode_ BazarLoader’s stage 2 shellcode will make use of encrypted stack strings for many purposes throughout the rest of its code. Before it continues with its malicious activity, it will check if the locale is Armenian (0x2b). Interestingly, instead of shutting down gracefully when the Armenian locale is detected, it will execute a `jmp instruction to an invalid address, causing an` access violation exception. We have seen Russian crimeware checking for the Armenian keyboard layout previously in malware such as KPot, we hypothesize this could be similar behavior. ----- To avoid running more than one instance of itself, BazarLoader will create a mutex with a hard coded UUID, then use ``` kernel32.GetLastError to check for the error ERROR_ALREADY_EXISTS . If the mutex already exists, it will exit the ``` process. The call to `kernel32.CreateMutexA can be seen in Figure 13.` _Figure 13: Mutex Creation_ Interestingly, BazarLoader will check for mutexes twice. Once completed, it will decyrpt its C2 configuration, as seen in Figure 14. _Figure 14: BazarLoader Stage 2 Decrypted Downloader Config_ Once BazarLoader has determined the Armenian language is not being used and another instance of itself is not running, it will make a HTTP HEAD request to hxxps://titlecs[.]com. It will continue to do this until it receives a `200 response from the` C2 server. The first request will be sent using `wininet.HttpSendRequestA, as seen in Figure 15.` _Figure 15: HTTP HEAD Request_ It is important to note that the HTTP header `Update is not a standard header and can be considered anomalous.` This HEAD request can be seen in Figure 16. ----- _Figure 16: BazarLoader C2 Download Domain HEAD Request_ The C2 server will respond with a `200 OK message.` BazarLoader will also check if it is connected to the internet by making a request to microsoft[.]com, as seen in Figure 17. _Figure 17: BazarLoader Internet Connectivity Check_ Once completed, it will make a POST request to the second domain in its configuration, as seen in Figure 18. _Figure 18: BazarLoader C2 Checkin_ Once completed, it will make a HTTP GET request in order to obtain the next stage, as seen in Figure 19. ----- _Figure 19: BazarLoader Downloading Encrypted Payload_ ## Differences Between Versions There are a few notable differences between the first version of BazarLoader sent on 2020-10-06 (Employment Termination Malspam) and the one sent on 2020-10-08 (Survey Malspam). The main difference between the two versions is the malware author(s) now include the string Stupid Defender to mock researchers, the shellcode that was stored in the ``` .data section is now stored in the .rsc section, the functionality to get a pointer to the encrypted shellcode and to ``` decrypt it have been broken out into their own separate functions. This can be seen in Figures 20 and 21. ----- _Figure 20: Updated Main Shellcode Decryption/Execution Routine_ _Figure 21: Obtain Encrypted Pointer to Encrypted Shellcode from the Resource Section_ _Figure 22: Encrypted Shellcode in Resource Section_ ## Summary BazarLoader is becoming increasingly popular amongst threat actors. We suspect the reason behind the malware developer(s) success is their use of techniques such as avoiding the use of threading APIs and faking PE injection, when in reality, it is simply shellcode injection. These techniques are likely used to confuse Endpoint Detection and Response (EDR) solutions. ## Indicators of Compromise ----- **Indicator** **Description** hxxps://titlecs[.]com/issues/284 BazarLoader Encrypted Payload URL hxxps://titlecs[.]com/issues/282 BazarLoader Encrypted Payload URL hxxp://ds46x1[.]com/1/run BazarLoader Encrypted Payload URL labelcs[.]com BazarLoader C2 Domain (Employment Termination Malspam) mixcinc[.]com BazarLoader C2 Domain (Employment Termination Malspam) nicknamec[.]com BazarLoader C2 Domain (Employment Termination Malspam) 3c27fca6d9cf1379eee93e6fea339e61 BazarLoader Shellcode Injector (Preview1510.exe) 3ee60e0efeb5b349a5ba7325ce4a33dc BazarLoader Shellcode Injector (Document285.exe) hxxps://docs[.]google[.]com/document/d/e/2PACX 1vR_9tGGWDcS1ZyIuiGpMQg2Sv9nRWempyUKuQ1iyJp_HHt1C87OPirnO7EImnOW6ILbrmHXUpl_OIxQ/p hxxps://docs[.]google[.]com/document/d/e/2PACX 1vQ7wK9C0fLCwS3voYLhGz3Gmy6g4UMKe_xZ1ds8xv7LonpviJBXefG9rBZuMPkmtytDYe_5rbDztBnK/pub Employment Termination Malspam Payload URL Survey Malspam Payload URL ds45x1[.]com BazarLoader C2 Domain (Survey Malspam) ds46x1[.]com BazarLoader C2 Domain (Survey Malspam) ds47x1[.]com BazarLoader C2 Domain (Survey Malspam) ----- marcene[.]jack[at]peytoneley[.]com BazarLoader Malspam Email shannon[.]ong35[at]myhunter[.]cuny[.]edu BazarLoader Malspam BazarLoader Malspam Email bessie[.]wilson[at]griply[.]com BazarLoader Malspam Email ## Researchers Lilly Chalupowski Paul Neuman -----