{ "id": "1bda6eb6-dc85-41b5-b805-85e8edf8954e", "created_at": "2026-04-06T00:15:04.465685Z", "updated_at": "2026-04-10T13:12:26.79391Z", "deleted_at": null, "sha1_hash": "e71e9fb7538731d36824ca10b50114eccd3c1289", "title": "The Defective Domain Generation Algorithm of BazarLoader", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 64882, "plain_text": "The Defective Domain Generation Algorithm of BazarLoader\r\nArchived: 2026-04-05 14:10:58 UTC\r\nEdit 2020-07-19: Cybereason published an excellent article A Bazar of Tricks: Following Team9’s Development\r\nCycles. The article shows that the DGA is part of Bazar Loader, which will try to download Bazar Backdoor. I\r\ntherefore renamed most instances of BazarBackdoor to BazarLoader.\r\nWhen I analyzed the domain generation algorithm of BazarLoader, I noticed a sample that generates bizarre\r\n“domains”:\r\n^efggkzjhggm.bazaar\r\n]`egkjzeggkl.bazaar\r\n_`eigkzegigm.bazaar\r\n^`ggilzeigin.bazaar\r\nbceeijbhgeil.bazaar\r\n_acgkjzfegkl.bazaar\r\na`gggkaeiggm.bazaar\r\n`cehimzhghio.bazaar\r\n``ceikzeeeim.bazaar\r\n`edgjlzjfgjn.bazaar\r\n_ccghjzheghl.bazaar\r\na`eijjaegijl.bazaar\r\n^aegjkzfggjm.bazaar\r\na`geikaeieim.bazaar\r\n_dghhkziihhm.bazaar\r\nTwo things are obviously wrong:\r\n1. There is no top level domain .bazaar . There is a Persian tld .بازار which translates to bazaar, but that\r\nwon’t work of course.\r\n2. Some second level domains contain special characters which makes them invalid too.\r\nThe first error is easy to explain: the authors meant to use .bazar , which is a valid EmerDNS domain. The\r\nsecond mistake is more interesting. The authors must have noticed the occasional special characters too. But they\r\nprobably couldn’t find the root cause and instead programmed a workaround that fixes some, but not all,\r\ncharacters.\r\nHere is the sample with the broken DGA that I looked at:\r\nMD5\r\n18d635a8ca7caefb4f4513650a31efc9\r\nSHA1\r\nd555233122a277fb89797ab2293efbe2a0c75f7f\r\nhttps://johannesbader.ch/blog/the-buggy-dga-of-bazarbackdoor/\r\nPage 1 of 5\n\nSHA256\r\n2e99ed535a9f73bafab151ec409de04c953a0187cb8e4063317617befa09068d\r\nSize\r\n377 KB (386224 Bytes)\r\nCompile Timestamp\r\n2020-06-17 09:20:56 UTC\r\nLinks\r\nVirusTotal\r\nFilenames\r\nDD45.exe, Preview_Report.exe (VirusTotal)\r\nDetections\r\nVirustotal: 41/76 as of 2020-07-09 13:47:45 - Trojan.Trickster.Gen (ALYac), Trojan.Win32.Mansabo.4!c\r\n(AegisLab), Trojan:Win32/Mansabo.e7acfbbd (Alibaba), Trojan/Win32.Mansabo (Antiy-AVL),\r\nTrojan.Mansabo (CAT-QuickHeal), Trojan.Win32.Mansabo.fef (Kaspersky),\r\nTrojan:Win32/Trickbot.A!Cert (Microsoft), TrojanSpy.Win64.TRICKBOT.ENJ (TrendMicro),\r\nTrojanSpy.Win64.TRICKBOT.ENJ (TrendMicro-HouseCall), Trojan.Mansabo (VBA32),\r\nTrojan.Win32.Mansabo.fef (ZoneAlarm)\r\nThe domain generation algorithm in this faulty version is the same as the one documented here. The only place\r\nthat is different is shown in the following screenshot comparison. The faulty DGA is on the left, the fixed on the\r\nright. Can you spot the problem?\r\nThe divisions by invariant multiplication are hard to read, but notice the right site being much shorter even tough\r\nthe calculation is basically the same. This is because compiler optimization was able to strip some minor\r\ncorrections that are only necessary for large numbers. Here the decompiled code after some renaming and\r\ncleaning up:\r\nhttps://johannesbader.ch/blog/the-buggy-dga-of-bazarbackdoor/\r\nPage 2 of 5\n\nj_1 = 0;\r\n i_1 = 0;\r\n do\r\n {\r\n r = 0;\r\n [...]\r\n bcrypt_BCryptGenRandom(0i64, \u0026r, 4i64);\r\n offset_letter = i_1 + 'a';\r\n i_1 += 2;\r\n character = r % 25 / (j_1 + 6) + offset_letter;\r\n r = r % 25 / (j_1 + 6);\r\n j_2 = j_1++;\r\n *(szDomain + 2 * j_2) = character;\r\n } while ( i_1 \u003c 12u );\r\nThis is the same code as for the fixed DGA, except for how the random numbers are generated:\r\n1. The faulty DGA generates 4 random bytes using a call to BCryptGenRandom .\r\n2. The fixed DGA generates a random value with a call to GetTickCount , and extracting the lowest 15 bits.\r\nThe problem with the first approach is, that the number will be 0x80000000 or larger in 50% of the cases. Since it\r\nis a signed number, it becomes negative. And the remainder of a negative number for a positive divisor is\r\nnegative. The fixed version doesn’t have this problem, because the integer overflow does not happen. When\r\nextending the random number ranges to the negative, we get these character sets:\r\nindex random number range potential characters\r\n0 -4–4 ]^_`abcde\r\n1 -3–3 `abcdef\r\n2 -3–3 bcdefgh\r\n3 -2–2 efghi\r\n4 -2–2 ghijk\r\n5 -2–2 ijklm\r\nThe malware authors used the following patch instead of fixing the integer overflow.\r\nl = 6i64;\r\ndo {\r\n c = *(\u0026szSeedStr[-6] + wDomain - a2) + *(wDomain - 6) - '0';\r\n *wDomain = c;\r\n if ( c \u003c 'a' )\r\n *wDomain = 'z';\r\nhttps://johannesbader.ch/blog/the-buggy-dga-of-bazarbackdoor/\r\nPage 3 of 5\n\n++wDomain;\r\n --l;\r\n} while ( l );\r\nThe patch is an if condition that replaces characters below “a” — that includes all special characters generated by\r\nthe faulty DGA — with “z”. This resolves the problem for the last half of the second level domain (in particular,\r\nthe 7th and 8th letter, the rest are not affected by the bug). However, the first half of the second level domain\r\nremains unmodified.\r\nThe following Python reimplementation generates all possible domains for a given date. Note that due to the\r\nextended random ranges, there are about 55000 domains per month instead of 2160 for the fixed version. So even\r\nif the correct tld would have been used, then the number of domains would have been a problem for the attackers\r\n— as they have no way of predicting which ones are used in what order.\r\nimport argparse\r\nfrom datetime import datetime\r\nfrom itertools import product\r\ndef dga(date):\r\n month = date.month\r\n year = date.year\r\n date_str = \"{0:02d}{1:04d}\".format(12-month, year-18)\r\n valid_chars = [\r\n \"]^_`abcde\",\r\n \"`abcdef\",\r\n \"bcdefgh\",\r\n \"efghi\",\r\n \"ghijk\",\r\n \"ijklm\"\r\n ]\r\n valid_chars = [list(_) for _ in valid_chars]\r\n for part1 in product(*valid_chars):\r\n domain = \"\".join(part1)\r\n for i, c in enumerate(part1):\r\n r = ord(c) + int(date_str[i])\r\n if r \u003c ord('a'):\r\n domain += 'z'\r\n else:\r\n domain += chr(r)\r\n domain += \".bazaar\"\r\n yield domain\r\nhttps://johannesbader.ch/blog/the-buggy-dga-of-bazarbackdoor/\r\nPage 4 of 5\n\nif __name__==\"__main__\":\r\n parser = argparse.ArgumentParser()\r\n parser.add_argument(\"-d\", \"--date\", help=\"date when domains are generated, e.g., 2020-06-28\")\r\n args = parser.parse_args()\r\n if args.date:\r\n d = datetime.strptime(args.date, \"%Y-%m-%d\")\r\n else:\r\n d = datetime.now()\r\n for domain in dga(d):\r\n print(domain)\r\nSource: https://johannesbader.ch/blog/the-buggy-dga-of-bazarbackdoor/\r\nhttps://johannesbader.ch/blog/the-buggy-dga-of-bazarbackdoor/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://johannesbader.ch/blog/the-buggy-dga-of-bazarbackdoor/" ], "report_names": [ "the-buggy-dga-of-bazarbackdoor" ], "threat_actors": [ { "id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31", "created_at": "2023-01-06T13:46:38.376868Z", "updated_at": "2026-04-10T02:00:02.949077Z", "deleted_at": null, "main_name": "Cleaver", "aliases": [ "G0003", "Operation Cleaver", "Op Cleaver", "Tarh Andishan", "Alibaba", "TG-2889", "Cobalt Gypsy" ], "source_name": "MISPGALAXY:Cleaver", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434504, "ts_updated_at": 1775826746, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e71e9fb7538731d36824ca10b50114eccd3c1289.pdf", "text": "https://archive.orkl.eu/e71e9fb7538731d36824ca10b50114eccd3c1289.txt", "img": "https://archive.orkl.eu/e71e9fb7538731d36824ca10b50114eccd3c1289.jpg" } }