# Let's Learn: TrickBot "BazarBackdoor" Process Hollowing Injection Primer **[vkremez.com/2020/04/lets-learn-trickbot-bazarbackdoor.html](https://www.vkremez.com/2020/04/lets-learn-trickbot-bazarbackdoor.html)** **Goal: Review the latest stealthy TrickBot group backdoor dubbed as "BazarBackdoor" as** well as its process injection methodology approach. [#Malware](https://twitter.com/hashtag/Malware?src=hash&ref_src=twsrc%5Etfw) [@googledocs](https://twitter.com/googledocs?ref_src=twsrc%5Etfw) [📨 tyrone.smith@mymona.uwi.edu via @SendGrid](https://twitter.com/SendGrid?ref_src=twsrc%5Etfw) 📩 Re:, your report 🔗 hxxps://www.ruths-brownies.com/PreviewReport.DOC.exe 📁 a9952f532a7141910b2261394a52e6dc 🌐 Multiple DNS - bestgame.bazar - forgame.bazar - IP connections: [https://t.co/bhdN0n4Fqu](https://t.co/bhdN0n4Fqu) [pic.twitter.com/leZb64pfFc](https://t.co/leZb64pfFc) [— панкак3 (@pancak3lullz) April 20, 2020](https://twitter.com/pancak3lullz/status/1252303608747565057?ref_src=twsrc%5Etfw) **Source:** ``` Crypted Loader SHA-256: 1e123a6c5d65084ca6ea78a26ec4bebcfc4800642fec480d1ceeafb1cacaaa83 64-bit Backdoor SHA-256: 5974d938bc3bbfc69f68c979a6dc9c412970fc527500735385c33377ab30373a ``` **Outline:** ``` I. BazarBackdoor: Background & Executive Summary II. BazarLoader: Process Hollowing Methodology III. BazarBackdoor: Overview IV. Yara Signature: BazarBackdoor Payload V. Mitre ATT&CK Framework: BazarBackdoor Payload VI. Network JA3 Signature: BazarLoader Malware ``` **I. BazarBackdoor: Background & Executive Summary** BazarBackdoor is the new stealthy covert malware leveraged for high-value targets part of the TrickBot group toolkit arsenal. For more overall information, please read the [BleepingComputer report from Lawrence Abrams related to this malware functionality and](https://www.bleepingcomputer.com/news/security/bazarbackdoor-trickbot-gang-s-new-stealthy-network-hacking-malware/) discovery. The malware was signed “VB CORPORATE PTY. LTD.” as DigiCert The TrickBot backdoor is a lightweight malware aimed to evade detection and be lightweight. ----- It leverages a known TrickBot group crypter with the notable VirtualAllocExNuma API and RC4 decoder sequence. The TrickBot Anchor project and this backdoor both utilize the same Emercoin DNS for the server communication via /api/ request for the payload with architecture configuration (for example, /api/86 and /api/88). By and large, Emercoin DNS is a legitimate provider that leveraged for .bazar domain resolution. The goal of this fileless loader and backdoor is not to elevate privileges but to avoid any detection possible staying silently and only loading extra functionality as extra features. In case they get flagged as malicious, the bot would still remain in the system. The malware combination consists of two parts: loader and bot. The bot goal is to execute binaries, scripts, and modules, kill processes and remove itself from the compromised machine. **II. BazarLoader: Process Hollowing Methodology** The malware utilizes the process hollowing injection approach injecting the core backdoor into svchost.exe via the following sequence CreateProcessA(0, pDestCmdLine, 0, 0, 0, _CREATE_SUSPENDED, 0, 0, &startupInfo, &processInfo) -> Find PEB -> Locate Remote_ _Image_ _NtUnmapViewOfSection -> VirtualAllocEx -_ _> VirtualAllocEx(processInfo.hProcess, peb.ImageBaseAddress,_ _...,MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE) -_ _> WriteProcessMemory () -> WriteProcessMemory (SourceImage.NumberOfSections)_ ----- **III. BazarLoader: Host Persistence** The loader adds itself to \Software\Microsoft\Windows\CurrentVersion\Run and uses its process key for persistence. The malware decryption routine is as follows: ``` const char *Encrypt_Decrypter() { ... BYTE key = key; for (int i = 0; i < len; i++) { ptr[i] = ptr[i + 1] ^ key; key++; } } ``` ----- **IV. BazarBackdoor: Overview** The backdoor goal is to execute binaries, scripts, and modules, kill processes and remove itself from the compromised machine. ``` V. Yara Signature: BazarBackdoor Payload ``` ----- ``` rule crime_win64_backdoor_bazarbackdoor1 { meta: description = "Detects BazarBackdoor injected 64-bit malware" author = "@VK_Intel" reference = "https://twitter.com/pancak3lullz/status/1252303608747565057" tlp = "white" date = "2020-04-24" strings: $str1 = "%id%" $str2 = "%d" $start = { 48 ?? ?? ?? ?? 57 48 83 ec 30 b9 01 00 00 00 e8 ?? ?? ?? ?? 84 c0 0f ?? ?? ?? ?? ?? 40 32 ff 40 ?? ?? ?? ?? e8 ?? ?? ?? ?? 8a d8 8b ?? ?? ?? ?? ?? 83 f9 01 0f ?? ?? ?? ?? ?? 85 c9 75 ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? 85 c0 74 ?? b8 ff 00 00 00 e9 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? eb ?? 40 b7 01 40 ?? ?? ?? ?? 8a cb e8 ?? ?? ?? ?? e8 ?? ?? ?? ?? 48 8b d8 48 ?? ?? ?? 74 ??} $server = {40 53 48 83 ec 20 48 8b d9 e8 ?? ?? ?? ?? 85 c0 75 ?? 0f ?? ?? ?? ?? ?? ?? 66 83 f8 50 74 ?? b9 bb 01 00 00 66 3b c1 74 ?? a8 01 74 ?? 48 8b cb e8 ?? ?? ?? ?? 84 c0 75 ?? 48 8b cb e8 ?? ?? ?? ?? b8 f6 ff ff ff eb ?? 33 c0 48 83 c4 20 5b c3} condition: ( uint16(0) == 0x5a4d and ( 3 of them ) ) or ( all of them ) } ``` **VI. Mitre ATT&CK Framework: BazarBackdoor Payload** The mapped Mitre ATT&CK Framework is as follows: Mitre ATT&CK Framework: T1093 - Process Hollowing Signature - TransactedHollowing T1055 - Process Injection ----- Signature - InjectionInterProcess **VII. Network JA3 Signature: BazarLoader Malware** **(f5e62b5a2ed9467df09fae7a8a54dda6)** The hostnames used for the command-and-control servers are: ``` forgame.bazar bestgame.bazar thegame.bazar newgame.bazar portgame.bazar ``` -----