Read on Twitter
There's a Trickbot variant called Bazar Backdoor which is now very active, and has good AV evasion across vendors at the moment. One to watch.
As @martijn_grooten rightly notes in the replies it has been linked to a $6m Ryuk incident. YARA detection rules, this is what they detected yesterday: https://github.com/GossiTheDog/ThreatHunting/blob/master/YARA/BazaLoaderBackdoor.yar
Great context by Will: https://twitter.com/BushidoToken/status/1314567367725375489?s=20
The more you learn! https://twitter.com/thinkPoison/status/1314606706182287363
They're back again today, example: https://www.virustotal.com/gui/file/8c55e3b7ce984976b237f03414886e8a2df5884d6f1485716493c84b0abf073e/detection
Using same certificate name as some GraceWire campaigns in August.
Using same certificate name as some GraceWire campaigns in August.
I put some IOCs here if it helps: https://otx.alienvault.com/pulse/5f80a8e422f0579f87cdf4d0
Detection for this is still apparently very bad.. I've updated the YARA rule to say they can be use used for commercial use and as basis for product detection if that helps.
Today's BazarLoader run pending (I guess they might wait because.. reasons), detection is starting to look pretty good.
No BazarLoader runs today.
BazarLoader is back again. Above YARA rule detects still. "SNAB-RESURS, OOO" is digital signature today.
Examples: https://www.virustotal.com/gui/file/093f2b5a9d4628d9331751d7e6d3582cf097ab3f4091463ec895052dee8d22c3/detection
https://www.virustotal.com/gui/file/f5d920482e18df058cc0848a4e96d06af5322c05b3b61d3cf05800ab345d3edf/community
IoCs https://otx.alienvault.com/pulse/5f80a8e422f0579f87cdf4d0
YARA generic detection https://github.com/GossiTheDog/ThreatHunting/blob/master/YARA/BazaLoaderBackdoor.yar
Examples: https://www.virustotal.com/gui/file/093f2b5a9d4628d9331751d7e6d3582cf097ab3f4091463ec895052dee8d22c3/detection
https://www.virustotal.com/gui/file/f5d920482e18df058cc0848a4e96d06af5322c05b3b61d3cf05800ab345d3edf/community
IoCs https://otx.alienvault.com/pulse/5f80a8e422f0579f87cdf4d0
YARA generic detection https://github.com/GossiTheDog/ThreatHunting/blob/master/YARA/BazaLoaderBackdoor.yar
Btw the 'blockchain unblockable C2 servers' is blockable by blocking DNS traffic to 51.254.25.115, it uses a hardcoded DNS server for .bazar lookups (never going to need in a professional setting).
Updated IoCs for BazarLoader and BazarBackdoor https://otx.alienvault.com/pulse/5f80a8e422f0579f87cdf4d0
Updated YARA rule for generic detection https://github.com/GossiTheDog/ThreatHunting/blob/master/YARA/BazaLoaderBackdoor.yar
Example Joesandbox report: https://www.joesandbox.com/analysis/297771/0/html
Updated YARA rule for generic detection https://github.com/GossiTheDog/ThreatHunting/blob/master/YARA/BazaLoaderBackdoor.yar
Example Joesandbox report: https://www.joesandbox.com/analysis/297771/0/html
Updated IoCs for BazarLoader: https://otx.alienvault.com/pulse/5f80a8e422f0579f87cdf4d0
Updated YARA rules for generic detection: https://github.com/GossiTheDog/ThreatHunting/blob/master/YARA/BazaLoaderBackdoor.yar
Two new C2 domains: titlecs[.com and labelcs[.com
This time distributed via S3 bucket links rather than Google Docs.
Updated YARA rules for generic detection: https://github.com/GossiTheDog/ThreatHunting/blob/master/YARA/BazaLoaderBackdoor.yar
Two new C2 domains: titlecs[.com and labelcs[.com
This time distributed via S3 bucket links rather than Google Docs.
And yes, the S3 bucket is Basecamp - people have realised they can upload content to Basecamp -> Basecamp put content in open S3 bucket by design -> free malware storage. https://twitter.com/Cyjax_Ltd/status/1317104423114518529?s=20
Updated BazarLoader IoCs: https://otx.alienvault.com/pulse/5f80a8e422f0579f87cdf4d0
YARA rule generic detection still detects all of these: https://github.com/GossiTheDog/ThreatHunting/blob/master/YARA/BazaLoaderBackdoor.yar
Detections are shockingly bad across vendors, this will turn into ransomware, we must do better:
YARA rule generic detection still detects all of these: https://github.com/GossiTheDog/ThreatHunting/blob/master/YARA/BazaLoaderBackdoor.yar
Detections are shockingly bad across vendors, this will turn into ransomware, we must do better:
The generic YARA rules for BazarLoader / KEGTAP have detected every run so far, including today’s. They’re free to use/adapt for AV providers. https://github.com/GossiTheDog/ThreatHunting/blob/master/YARA/BazaLoaderBackdoor.yar
My unmodified YARA rules still detect today’s Bazaloader/ KEGTAP, and all prior ones. https://github.com/GossiTheDog/ThreatHunting/blob/master/YARA/BazaLoaderBackdoor.yar
IoCs which aren’t just Bazarloader/KEGTAP.. but have strong overlap and you should all block/alert on. Great job by FireEye. https://gist.github.com/aaronst/6aa7f61246f53a8dd4befea86e832456
This thread is almost a month old 
I updated the YARA rules as they made some additional evasions yesterday. https://github.com/GossiTheDog/ThreatHunting/blob/master/YARA/BazaLoaderBackdoor.yar
Example payload: https://www.virustotal.com/gui/file/2ed953f572237e52e336f5e65cd6cb735f65f3d35db0e74e2acc095d02cd3acd/detection/f-2ed953f572237e52e336f5e65cd6cb735f65f3d35db0e74e2acc095d02cd3acd-1604342848
I updated the YARA rules as they made some additional evasions yesterday. https://github.com/GossiTheDog/ThreatHunting/blob/master/YARA/BazaLoaderBackdoor.yar
Example payload: https://www.virustotal.com/gui/file/2ed953f572237e52e336f5e65cd6cb735f65f3d35db0e74e2acc095d02cd3acd/detection/f-2ed953f572237e52e336f5e65cd6cb735f65f3d35db0e74e2acc095d02cd3acd-1604342848
Here's an great example of Bazarloader/KEGTAP to Ryuk ransomware in two hours in real world, using things detected in this thread - with all the tech evidence. https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/
