{
	"id": "df331564-a0c7-4f05-8785-35a06f233b0c",
	"created_at": "2026-04-06T00:07:49.32048Z",
	"updated_at": "2026-04-10T03:21:32.483712Z",
	"deleted_at": null,
	"sha1_hash": "eb2f5afce070eaf8f8804f8b49817464ed60e307",
	"title": "A Bazar of Tricks: Following Team9’s Development Cycles",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3297234,
	"plain_text": "A Bazar of Tricks: Following Team9’s Development Cycles\r\nBy Cybereason Nocturnus\r\nArchived: 2026-04-05 15:32:25 UTC\r\nResearch by: Daniel Frank, Mary Zhao and Assaf Dahan\r\nKey Findings\r\nA New Malware Family: The Cybereason Nocturnus team is tracking a new Bazar loader and backdoor\r\nthat first emerged in April 2020 and has evolved continuously since. Bazar can be used to deploy additional\r\nmalware, ransomware, and ultimately steal sensitive data from organizations.\r\nTargeting the US and Europe: Bazar malware infections are specifically targeting  professional services,\r\nhealthcare, manufacturing, IT, logistics and travel companies across the US and Europe. \r\nWith Loader and Backdoor Capabilities: Bazar leverages the Twilio SendGrid email platform and\r\nsigned loader files to evade traditional security software in conjunction with a fileless backdoor to establish\r\npersistence. \r\nUnder Constant Development: Over the course of this investigation, it is evident that Bazar is under\r\nactive development. More recently, the active campaigns have disappeared, but later reappeared with a new\r\nversion, which indicates the group is under a development cycle.  \r\nEvasive, Obfuscated Fileless Malware: This stealthy loader evades detection by abusing the trust of\r\ncertificate authorities, much like previous Trickbot loaders. This loader, however, uses EmerDNS (.bazar)\r\ndomains for command and control and is heavily obfuscated. It also uses anti-analysis techniques to thwart\r\nautomated and manual analysis, and loads the encrypted backdoor solely in memory.\r\nA Comeback After Two Months: After a two month hiatus, a new variant emerged in mid-June that\r\nimproved on its stealth capabilities. This is similar to the modus operandi of other cybercriminal\r\norganizations in general and Trickbot in particular.\r\nTrickbot Ties: The loader exhibits behaviors that tie it to previous Trickbot campaigns. Though several\r\nchanges exist between the Anchor and Bazar malware, including differences in clientID generation, they\r\nshare the same top-level Bazar domain C2. Unlike Trickbot and Anchor, the Bazar loader and backdoor\r\ndecouple campaign and bot information in bot callbacks. Given these ties and how quickly Bazar is\r\nevolving, this may signal the attackers next generation of malware attacks.\r\ntable of contents\r\nKey Findings\r\nIntroduction\r\nInfection Vector\r\nLoader and Backdoor Analysis\r\nThe Early Development Loader (Team9)\r\nThe Operational Bazar Loader\r\nhttps://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles\r\nPage 1 of 29\n\nThe New Operational Bazar Loader\r\nThe Early Development Backdoor (Team9)\r\nThe Trickbot Connection\r\nConclusion\r\nMITRE ATT\u0026CK Techniques\r\nIOCs\r\nIntroduction\r\nSince April 2020, the Cybereason Nocturnus team has been investigating the emergence of the Bazar malware, a\r\nloader and backdoor used to collect data about the infected machine and to deploy additional malware. In this\r\nanalysis, we show how the Bazar malware is sent via phishing emails that take advantage of the ongoing\r\ncoronavirus pandemic, employee payroll reports, and customer complaints. The Bazar malware appears to have\r\nstrong ties to Trickbot campaigns resembling those seen in the Trickbot-Anchor collaboration from December\r\n2019. After further investigation, it is clear that the same infection chain delivers the Bazar loader instead of the\r\nusual Trickbot downloader. \r\nThe Bazar loader and Bazar backdoor are named after their use of EmerDNS blockchain domains. Using Bazar\r\ndomains has been trending recently among cybercriminals because they are able to evade takedowns and\r\nsinkholing that disrupts botnet communications. \r\nThe Bazar loader gives the attacker its initial foothold in the environment, while the Bazar backdoor establishes\r\npersistence. Together, the loader and backdoor give threat actors the opportunity to deploy other payloads such as\r\nransomware, and post-exploitation frameworks like CobaltStrike, as well as exfiltrate data and remotely execute\r\ncommands on infected machines. The Bazar backdoor can lead to disrupted business continuity, data loss, and full\r\ncompromise, undermining trust in an organization.\r\nThere are several different versions of the Bazar backdoor and its loader, which shows that the malware is under\r\nactive development. This writeup dissects the Bazar loader and backdoor functionality alongside elements that\r\nshow its ties to Trickbot collaborations similar to that of Trickbot-Anchor from 2019. Our analysis will focus\r\nmainly on the Bazar loader as it is especially evasive given our findings from its recent re-emergence.\r\nhttps://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles\r\nPage 2 of 29\n\nThe Bazar loader infection chain starts from a phishing email link.\r\nInfection Vector\r\nThe Bazar loader infection delivered via malicious link in a phishing email. \r\nhttps://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles\r\nPage 3 of 29\n\nWhereas more common Trickbot campaigns use malicious file attachments to launch Microsoft Office macros and\r\ndownload Trickbot, this campaign initially infects hosts with the Bazar loader via phishing emails sent using the\r\nSendgrid email marketing platform. These emails contain links to decoy landing pages for document previews\r\nhosted in Google Docs. \r\nCoronavirus phishing email sent via Sendgrid email marketing with Google Docs links. \r\nVisiting the Google Docs landing page encourages the user to download a file. To convince users to download the\r\nfiles manually, the page states that document preview is not available.\r\nThe Bazar loader payload retrieval and net.exe commands post-infection. \r\nThe Bazar loader files are dual-extension executable files (such as PreviewReport.DOC.exe) signed with fake\r\ncertificates such as VB CORPORATE PTY. LTD. This is consistent with the Trickbot group, which notoriously\r\nabuses the trust of certificate authorities by using signed loaders and malware to evade security product detection.\r\nSigned malware was seen in Trickbot-Anchor infections and will continue to play a role in future campaigns due\r\nto the ease of obtaining code-signing certificates and their effectiveness in evading security products.\r\nhttps://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles\r\nPage 4 of 29\n\nTrickbot and Bazar loader signed files.\r\nLoader and Backdoor Analyses\r\nThe Cybereason Nocturnus team analyzed both development and operational versions of the Bazar loader and\r\nbackdoor. To differentiate between the two versions for this writeup, we reserved the name “Team9” for the\r\ndevelopment versions and the name “Bazar” for the operational versions. \r\nThe Team9 loader is examined first; then, we analyze the operational Bazar loader. Finally, we analyze an early\r\ndevelopment version of the malware, which is the Team9 backdoor. We summarize changes between loaders and\r\nbackdoor versions as they are developed over time in the tables below.\r\nLoader variant Creation date Mutex Log files (if any)\r\nDev Version 1 April 9 n/a ld_debuglog.txt\r\nOperational Loader March 27 - April 20 ld_201127 n/a\r\nhttps://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles\r\nPage 5 of 29\n\nNew Operational Loader June 12 - June 18 ld_201127 n/a\r\nLoader information\r\nBackdoor variant Creation date Mutex\r\nLog Files (if\r\nany)\r\nDev Version 1  April 7-9 MSCTF.[botID] bd_debuglog.txt\r\nDev Version 2 April 16-22\r\n{589b7a4a-3776-4e82-8e7d-435471a6c03c}\r\nAND\r\n{517f1c3d-ffc0-4678-a4c0-\r\n6ab759e97501}\r\ndl2.log\r\nDev Version 2.1 April 17-23\r\n{589b7a4a-3776-4e82-8e7d-435471a6c03c} \r\nbd2.log\r\nOperational\r\nBackdoor\r\nMarch 27 - April\r\n22\r\nmn_185445 n/a\r\nBackdoor information\r\nThe Early Development Loader (Team9)\r\nExamining a development version of the loader, which contains ‘team9 loader’ strings, it downloads a XOR-encoded payload from a remote server, then decodes and injects the payload into a target process using process\r\nhollowing or process doppelgänging injection techniques. \r\nTo download the Bazar backdoor, the loader communicates with a remote server that sends the payload to the\r\ninfected machine in encrypted format. On first inspection, the payload does not show a valid PE header. Reversing\r\nthe Team9 loader sample shows a XOR key of the infection date, in the format YYYYMMDD (ISO 8601).\r\nhttps://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles\r\nPage 6 of 29\n\nRetrieving the system time to decrypt the payload.\r\nThe loop responsible for the byte-by-byte decryption is represented in the image below.\r\nDecryption loop for the date and time.\r\nAs shown in later stages of this report, the above is a shared mechanism with the obfuscated and packed variant.\r\nThis loader variant creates a simple autorun key at CurrentVersion\\Run, masqueraded as BackUp Mgr.\r\nhttps://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles\r\nPage 7 of 29\n\nThe autorun key created by the Team9 loader.\r\nOnce the payload is decoded correctly with a proper PE header, it is validated and then injected into memory. The\r\nprocess can be viewed is in the malware’s logs.\r\nContents of the log file (ld_debug.txt) show Bazar loader infection activity.\r\nDebug strings show the Bazar loader execution and payload retrieval status in a log file “ld_debuglog” indicating\r\nPE file signature verification and self-deletion capabilities. \r\nThis variant places the debug logs in the hardcoded ‘admin’ user folder.\r\nBazar loader and backdoor debug logs.\r\nThe Operational Bazar Loader\r\nIn the obfuscated and packed version of the loader, an uncommon API call is used to facilitate code injection. As\r\nseen in the image below, the loader uses VirtualAllocExNuma to allocate new memory and store the returned base\r\nhttps://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles\r\nPage 8 of 29\n\naddress. The beginning of an obfuscated shellcode is copied to this address after being decrypted using an RC4\r\nalgorithm.In addition to the shellcode an additional PE can be seen in memory.\r\nMemory allocation and call to shellcode decryption.\r\nThe Bazar loader also stores an RSA2 key that is used to open the RC4 key.\r\nRSA2 BLOB as seen in the loader’s memory.\r\nLooking at the code of the ‘decrypt_shellcode_and_mz’ function, we see it is very similar to the one being used in\r\nan earlier Trickbot variant and TrickBooster.\r\nhttps://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles\r\nPage 9 of 29\n\nThe shellcode decryption routine.\r\nAfter the RSA2 key is imported from the key BLOB, the RC4 key is loaded into the RC4 BLOB. It is reversed,\r\nsince it defaults to the little-endian format, and is finally appended with a trailing zero byte, which is an essential\r\npart of the key.\r\nThe RC4 BLOB with the loaded key.\r\nWhen the data is decrypted, a relatively short shellcode precedes the MZ bytes.\r\nhttps://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles\r\nPage 10 of 29\n\nThe decrypted shellcode and PE.\r\nCopied to the previously allocated memory, this code deobfuscates several essential API calls at runtime, such as\r\nLoadLibraryA, GetProcAddress, VirtualAlloc and VirtualProtect, all of which will be used to resolve APIs and\r\nallocate memory to run the additional PE.\r\nAPI resolving by the shellcode loader.\r\nThe code loads more APIs to the soon-to-be-executed PE before finally jumping to the PE entry point.\r\nhttps://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles\r\nPage 11 of 29\n\nResolving APIs for the PE by the shellcode loader.\r\nStepping into the loaded PE,Bazar loader tries to avoid targeting Russian users by checking if the Russian\r\nlanguage is installed on the infected machine. It calls setlocale, deobfuscating the “Russia” string by adding 0xf4\r\nto each character, and finally resolving and calling StrStrA to check if “Russia” is a substring of the current locale.\r\nIf so, the loader terminates. The Bazar Backdoor repeats this step as well.\r\nChecking for Russian language to determine if it should execute.\r\nIn general, the PE is highly obfuscated. Dedicated methods resolve additional strings and API calls at runtime,\r\nrendering the PE even more difficult to analyze. Below is an example of the method responsible for resolving the\r\n.bazar domains. It loads an obfuscated string, and deobfuscates it using the first character of the domain name as a\r\nXOR key for the rest of the string.\r\nhttps://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles\r\nPage 12 of 29\n\nDeobfuscating .bazar domains.\r\nA mutex name is deobfuscated and then copied before being passed to CreateMutexExA with the name\r\n“ld_201127”. \r\nMutex creation\r\nOnce the Bazar loader downloads its payload, the Bazar backdoor, it is decrypted using the same method as the\r\naforementioned Team9 variant.\r\nDecrypting the downloaded payload.\r\nFinally, the loader validates the PE header for successful decryption, then it continues to the next step, which is\r\ncode injection by process hollowing.\r\nhttps://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles\r\nPage 13 of 29\n\nSystem time retrieval, decryption, and header check of the downloaded payload.\r\nThe loader tries three different processes: svchost, explorer, and cmd, similar to the functionality in the\r\ndevelopment version.\r\nAfter the code is successfully injected into one of the above processes, the loader uses several methods to autorun\r\nfrom the victim's machine. This implies that the code has not yet been finalized.\r\nhttps://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles\r\nPage 14 of 29\n\nBazar loader making sure it will autorun at any cost.\r\nFirst, the loader creates a scheduled task masquerading under the name StartAd - Ad as in Adobe. Other samples\r\nuse a decoy Adobe icon with a double extension .PDF.exe, similar to the MS Word variant being analyzed here.\r\nCreation of the scheduled task using taskschd.dll.\r\n The author is also set as Adobe for further deception.\r\nhttps://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles\r\nPage 15 of 29\n\nThe created task as seen in the Task Scheduler.\r\nAfter setting up the scheduled task, the Bazar loader uses RegSetValueExA to write itself to\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon. By doing so, the\r\nloader is able to execute on every system logon.\r\nWriting the malware to autorun from userinit.\r\nThe Bazar loader will create another autorun entry by writing an adobe.lnk shortcut in the Windows Start menu\r\nStartup folder.\r\nWriting the Bazar loader to the startup folder.\r\nFinally, if the autorun overkill process was not enough, the malware grabs the user’s desktop using the\r\nSHGetSpecialFolderPathW API call, and makes the shortcuts point to the loader itself. It opens each shortcut\r\nlocation, renaming the target by prefixing the application’s name with an underscore, ultimately renaming itself as\r\nthe original application, copied to the destination folder.\r\nhttps://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles\r\nPage 16 of 29\n\nThe legitimate Firefox application is modified so that another copy of the loader can execute.\r\nFor example, the screenshot above shows that _firefox.exe is the original application, while firefox.exe is actually a\r\ncopy of the Bazar loader. This is confirmed after retrieving the files’ hashes.\r\nHashing both malicious loader copy and legitimate Firefox applications.\r\nAnother small binary file is created in the folder with a .bin extension, containing more encrypted data.\r\nThe New Operational Bazar Loader\r\nA new version of the Bazar loader emerged at  the beginning of June 2020. The files submitted to VirusTotal share\r\nthe same fake certificate: “RESURS-RM OOO”. While some functionality remains similar to the older operational\r\nvariant (such as the mutex, the downloaded payload decryption routine, the persistence mechanism etc.), there are\r\nsome new features in this new variant.\r\nOne noticeable feature is the evasive API-Hammering technique, that was also seen recently in a new Trickbot\r\nvariant. In this case, the usage of 1550 calls to printf is intended to overload sandbox analysis with junk data and\r\nhttps://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles\r\nPage 17 of 29\n\ndelay execution, since it logs API calls.\r\nBazar loader’s API-Hammering technique.\r\nAnother noticeable difference in the new variant is the change to the initial shellcode decryption routine, though it\r\nuses the familiar VirtualAllocExNuma routine.\r\nInitial routine before the shellcode decryption.\r\nThis variant is using what seems to be a custom RC4 algorithm with the following key.\r\nhttps://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles\r\nPage 18 of 29\n\nThe key used for the shellcode decryption.\r\nOnce the code is decrypted, it is clear that there are actually two payloads inside of it. The first payload serves as a\r\nloader for the second DLL payload.\r\nThe first PE loads the second one with the export function “StartFunc”.\r\nOffset 0x180004000 holds the second DLL.\r\nThe second DLL.\r\nOnce loaded, the second DLL’s StartFunc starts a loop by calling GetMessageA to retrieve Windows messages\r\nand runs the main activity method.\r\nhttps://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles\r\nPage 19 of 29\n\nStartFunc main activity method.\r\nAnother interesting finding is that Bazar Loader has now implemented a Domain Generation Algorithm using the\r\ncurrent date as a seed. At the moment, it seems more of a backup, since in monitored live cases the IPs were\r\ncontacted directly.\r\nBazar Loader’s DGA implementation.\r\nAll of the generated domains are still under the bazar suffix.\r\nhttps://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles\r\nPage 20 of 29\n\nGenerated Bazar domains.\r\nOther more minor (but significant for detection) changes include:\r\nConnecting to the C2 using only HTTPS\r\nUser-Agent name was changed to dbcutwq or user_agent\r\nA new cookie: group=1\r\n_lyrt suffix that was used to check the malware’s presence on the machine now changed to _fgqw\r\nThe Early Development Backdoor (Team9)\r\nThe Cybereason Nocturnus team has identified three versions of this backdoor since early April this year.Their\r\nmodus operandi does not differ drastically and can be distinguished by their mutexes and obfuscation level. \r\nData collected from the infected machine  is hashed using the MD5 algorithm set in the CryptCreateHash API call\r\nby setting the ALG_ID to 0x8003, and then appended to the mutex name.\r\nhttps://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles\r\nPage 21 of 29\n\nGathering and hashing data about the infected machine.\r\nAfter successfully gathering the data, the Bazar backdoor connects to the C2 server. If the connection fails, it\r\ncontinues to retry. \r\nAnother interesting aspect of this version is how it uses a local address to fetch the data from the server. Given\r\nthat this is an early dev version, the author may be using this method for test purposes.\r\nPossible testing environment of the Bazar author. \r\nAfter successfully gathering the data and connecting to the C2 server, the backdoor parses the command received\r\nin the HTTP response. Each char of the command is XORed with the next char in the generated MD5 string.\r\nhttps://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles\r\nPage 22 of 29\n\nXORing the command retrieved from the C2 with the machine identifier hash.\r\nAfter checking and parsing the XORed data, the backdoor then logs and executes the retrieved command\r\naccording to the following switch case.\r\nSwitch case for the commands received from the C2 server.\r\nAs seen in the above image, the Bazar backdoor can handle quite a few commands. This next section focuses on\r\ncase 1, which retrieves various pieces of additional information on the infected machine. \r\nAfter receiving the value 1 from the C2 server and parsing the response, the value is mapped to the relevant\r\nmethod for execution.\r\nhttps://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles\r\nPage 23 of 29\n\nThe methods and mapped values as seen in memory. \r\nThe corresponding method to the value 1 is 0x3fab15b0 in this instance. This method collects additional data from\r\nthe infected machine, such as its public IP address, computer name, and the installed Windows version.\r\nGathering additional information about the infected machine.\r\nIt then performs a WMI query to retrieve information about the antivirus engine installed on the machine.\r\nWMI query to get information about the installed antivirus engine.\r\nAlso, the Bazar loader retrieves the installed applications list using the Windows\\CurrentVersion\\Uninstall registry\r\nkey.\r\nhttps://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles\r\nPage 24 of 29\n\nQuerying the installed programs on the machine.\r\nFinally, the loader spawns cmd.exe to perform a series of reconnaissance commands to obtain information about\r\nthe network and domain.\r\ncmd.exe running net and nltest tools.\r\nBecause the malware is a development version, most of the above data is well-documented in its logs.\r\nTeam9 backdoor logs.\r\nSubsequent network communications use a bot ID hash format reminiscent of the client ID used in Anchor\r\ncampaigns from 2019, an MD5 hash value.\r\nAs seen in previous Anchor infections, Anchor’s unique identifier generation follows this pattern:\r\n[Machine_NAME]_[Windows_Version].[Client_ID]\r\nAfter a machine is infected with Anchor, it uses openNIC resolvers to resolve a Bazar domain  such as\r\ntoexample[dot]bazar. It then sends bot callbacks with the following information to the remote server in the format\r\nshown below:\r\n[campaign]/[Machine_NAME]_[Windows_Version].[Client_ID]/[switch]/\r\nMeanwhile, the generated Bazar bot ID is an MD5 hash composed of the computer name, creation dates of system\r\nfolders, and the system drive serial number.\r\nThe Bazar bot ID is an MD5 hash comprised of host information, including: \r\n[creation date of %WINDIR% in ASCII]\r\n[creation date of %WINDIR%\\system32 in ASCII].\r\n[NETBIOS_Name]\r\nhttps://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles\r\nPage 25 of 29\n\n[%SYSTEMDRIVE% serial number])\r\nBazar backdoor communications follow a pattern of the botID and numeric command switch.\r\n[botID]/[switch]\r\nBackdoor callbacks from the infected host to the Bazar domain use the botID and command switch ‘2’ when\r\nwaiting to receive a new task.\r\nNetwork communication from infected host to the .bazar domain with a unique botID.\r\nThe Bazar backdoor sends a ‘group’ identifier to the remote server along with the botID and the switch to send\r\ndata or receive commands. As of May 2020, there were two hardcoded groups. These backdoors are associated\r\nwith cookie group strings “two” and “five”.  Meanwhile, the new loader is associated with the cookie group string,\r\n“1”. \r\nBazar backdoor “group” identifier sent via HTTP request “cookie” parameter.\r\nWhile the URI string has changed from Trickbot and Anchor variants, the phishing tactics and use of post-infection reconnaissance commands remains the same. In the Bazar backdoor, the tag (or gtag) used to identify\r\nTrickbot campaigns is removed from C2 URIs. It may have been moved to the cookie HTTP header parameter. \r\nWith Bazar, the infected machine name and Trickbot campaign identifier are no longer sent in the same HTTP\r\nrequests. Instead, the ‘/api/v{rand}’ URI is sent to retrieve the backdoor from cloud hosted servers after the loader\r\nexecutes. Backdoor communications between the C2 server and the client occur to the .bazar domain using the\r\nbotID assigned to the infected host.\r\nThe decoupling of campaign tag and client machine name from the Bazar C2 server is specific to this backdoor.\r\nBecause bot communications are often quickly terminated after infections are discovered, removing the campaign\r\nand client machine name from URIs results in reduced downtime, lowering the need to re-infect a machine. \r\nhttps://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles\r\nPage 26 of 29\n\nThe Trickbot Connection\r\nAs we previously stated, the Bazar loader and Bazar backdoor show ties to Trickbot and Anchor malware with\r\nsigned loaders. Similarities between the three include: \r\nusing revoked certificates to sign malware\r\ndomain reuse (e.g.  machunion[.]com and bakedbuns[.]com)\r\nAlmost identical decryption routines in the Bazar and Trickbot loaders, including the usage of the same\r\nWinAPIs, custom RC4 implementation and the usage of the API-Hammering in the latest loader variant,\r\nwhich is found also in Trickbot.\r\nbackdoor command-and-control using .bazar domains \r\nThe fact that this malware does not infect machines with Russian language support offers a clue to its origins and\r\nintended targets.\r\nThe Bazar loaders are signed with revoked certificates. Previous research shows that the Trickbot group uses\r\nrevoked certificates to sign files  up to six months after certificate revocation, illustrated by the use of a certificate\r\nissued to subject “VB CORPORATE PTY. LTD.” in January 2020. Anchor campaigns from December also used\r\nsigned Trickbot loader files with filenames related to preview documents. The current revoked certificate used in\r\nthe new loader variant is issued by “RESURS-RM OOO”.\r\nIn addition, similar phishing email tactics, Google Drive decoy previews, signed malware, and deceptive file icon\r\nuse were observed in both of these campaigns. We observed reuse of likely compromised domains to host Bazar\r\nloaders that previously served Trickbot loaders. For example, the domain ruths-brownies[dot]com was used in a\r\nTrickbot campaign in January and hosted Bazar loaders in April 2020.\r\nThe Bazar malware has a new command-and-control pattern and botID that differs from Trickbot and Anchor, yet\r\nretains historical indicators of both malware families. Finally, the use of Emercoin (.bazar) domains were observed\r\nin Trickbot infections delivering Anchor from December 2019. \r\nConclusion\r\nIn this writeup, we associate the Bazar loader and Bazar backdoor with the threat actors behind Trickbot and our\r\nprevious research on Anchor and Trickbot from December 2019. Based on our investigation, Cybereason\r\nestimates that the new malware family is the latest sophisticated tool in Trickbot gang's arsenal, that so far has\r\nbeen selectively observed on a handful of high-value targets. \r\nThe Bazar malware is focused on evasion, stealth, and persistence. The malware authors are actively testing a few\r\nversions of their malware, trying to obfuscate the code as much as possible, and hiding the final payload while\r\nexecuting it in the context of another process. To further evade detection, the Bazar loader and backdoor use a\r\ndifferent network callback scheme from previously seen Trickbot-related malware.  \r\nPost-infection, the malware gives threat actors a variety of command and code execution options, along with built-in file upload and self-deletion capabilities. This variety allows attackers to be dynamic while exfiltrating data,\r\ninstalling another payload on the targeted machine, or spreading further on the network. In general, having more\r\noptions ensures the threat actors can adjust to changes in their goals or victim’s environment.\r\nhttps://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles\r\nPage 27 of 29\n\nThe use of blockchain domains distinguishes the Bazar loader and Bazar backdoor as part of a family of threats\r\nthat rely on alternate domain name systems such as EmerDNS domains. As we reported in Dropping The Anchor\r\nin December 2019, these alternate domain name systems have also been used in Trickbot Anchor campaigns.\r\nThese systems provide bot infrastructure with protection from censorship and resilience to takedowns, making\r\nthem invaluable for threat actors. \r\nThe emergence of the first malware variants in April 2020 was followed by an almost 2-months long hiatus, until a\r\nnew variant was discovered in June 2020. Our research, which covers the evolution of the Bazar malware family,\r\nclearly shows that the threat actor took time to re-examine and improve their code, making the malware stealthier.\r\nBazar’s authors changed some of the most detectable characteristics of the previous variant, such as previously\r\nhardcoded strings, and modification of the known shellcode decryption routine, similar to what was previously\r\nobserved in recent Trickbot variants.\r\nAlthough this malware is still in development stages, Cybereason estimates that its latest  improvements and\r\nresurfacing can indicate the rise of a new formidable threat once fully ready for production.\r\nMITRE ATT\u0026CK Techniques\r\nExecution Persistence\r\nPrivilege\r\nEscalation\r\nDefense\r\nEvasion\r\nDiscovery Exfiltration\r\nCommand\r\nand Control\r\nExecution\r\nThrough\r\nAPI\r\nStartup\r\nItems\r\nStartup\r\nItems\r\nDeobfuscate /\r\nDecode Files\r\nor Information\r\nAccount\r\nDiscovery\r\nData\r\nEncrypted\r\nCommonly\r\nUsed Port\r\n \r\nRegistry\r\nRun Keys /\r\nStartup\r\nFolder\r\nProcess\r\nInjection\r\nMasquerading\r\nApplication\r\nWindow\r\nDiscovery\r\n \r\nRemote File\r\nCopy\r\n     \r\nModify\r\nRegistry\r\nFile and\r\nDirectory\r\nDiscovery\r\n \r\nStandard\r\nApplication\r\nLayer\r\nProtocol\r\n     \r\nObfuscated\r\nFiles or\r\nInformation\r\nProcess\r\nDiscovery\r\n \r\nStandard\r\nCryptographic\r\nProtocol\r\nhttps://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles\r\nPage 28 of 29\n\nProcess\r\nDoppelgȁnging\r\nQuery\r\nRegistry\r\n \r\nStandard\r\nNon-Application\r\nLayer\r\nProtocol\r\n     \r\nProcess\r\nHollowing\r\nRemote\r\nSystem\r\nDiscovery\r\n   \r\n     \r\nProcess\r\nInjection\r\nSecurity\r\nSoftware\r\nDiscovery\r\n   \r\n       \r\nSystem\r\nInformation\r\nDiscovery\r\n   \r\n       \r\nSystem\r\nTime\r\nDiscovery\r\n   \r\n       \r\nSystem\r\nOwner /\r\nUser\r\nDiscovery\r\n   \r\nIndicators of Compromise\r\nClick here to download this campaign's IOCs (PDF)\r\nSource: https://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles\r\nhttps://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles\r\nPage 29 of 29\n\n https://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles   \nThe Bazar loader infection chain starts from a phishing email link.\nInfection Vector    \nThe Bazar loader infection delivered via malicious link in a phishing email.\n   Page 3 of 29",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MITRE",
		"ETDA"
	],
	"references": [
		"https://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles"
	],
	"report_names": [
		"a-bazar-of-tricks-following-team9s-development-cycles"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434069,
	"ts_updated_at": 1775791292,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/eb2f5afce070eaf8f8804f8b49817464ed60e307.pdf",
		"text": "https://archive.orkl.eu/eb2f5afce070eaf8f8804f8b49817464ed60e307.txt",
		"img": "https://archive.orkl.eu/eb2f5afce070eaf8f8804f8b49817464ed60e307.jpg"
	}
}