Relevant threats of 2021
The Bazar family of malware continued to be active in 2021, spurring ransomware infections.Pairs with this song
It’s making us crazy trying to keep track of all the variants of the Bazar family of malware. Everytime we look around, there’s a new one in our face.
Editor’s note: While the detection opportunities and analysis on this page are still relevant, it has not been updated since 2022.
The Bazar malware family was quite active in 2021, spreading via multiple delivery affiliates, including TA551 and BazaCall. There are many names for Bazar (sometimes referred to as “Baza”) floating around that refer to various parts of the intrusion chain. Bazar is relevant because of its role as a malware precursor, and many 2021 intrusions starting with Bazar led to ransomware like Ryuk and Conti. The Bazar malware family encompasses a loader, BazarLoader, and backdoor, BazarBackdoor. These components have been delivered via multiple delivery affiliates. As we discuss in the Affiliates section of this report, differentiating initial delivery affiliates from loaders and payloads will help you understand each phase of the threat and how to better protect your organization.
One affiliate we’ve been tracking for a while, TA551, began delivering Bazar during 2021. While TA551 relied on email attachments to deliver Bazar, another affiliate behind a 2021 phishing campaign known as BazaCall opted to trick users into calling a phone number sent in an email. After a victim called the number, an adversary provided step-by-step instructions that led to downloading Bazar malware. (Check out Brad Duncan’s video for an example of how this intrusion plays out.) Once BazaLoader was installed, BazaCall led to Cobalt Strike and eventually, ransomware.
Microsoft Certificate Services using
certutil.exe to initiate download
This detection analytic looks for instances of the Microsoft Certificate Utility (
certutil.exe) initiating a download, a technique used to download Bazar payloads.
process == certutil.exe && command_line_includes ('urlcache')