SYMBOLCOMMON_NAMEaka. SYNONYMS
win.bazarbackdoor (Back to overview)

BazarBackdoor

aka: Team9Backdoor

BazarBackdoor is a small backdoor, probably by a TrickBot "spin-off" like anchor. Its called team9 backdoor (and the corresponding loader: team9 restart loader).

For now, it exclusively uses Emercoin domains (.bazar), thus the naming.

References
2020-07-16CybereasonDaniel Frank, Mary Zhao, Assaf Dahan
@online{frank:20200716:bazar:3ed900d, author = {Daniel Frank and Mary Zhao and Assaf Dahan}, title = {{A Bazar of Tricks: Following Team9’s Development Cycles}}, date = {2020-07-16}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles}, language = {English}, urldate = {2020-07-16} } A Bazar of Tricks: Following Team9’s Development Cycles
BazarBackdoor
2020-07-15Johannes Bader's BlogJohannes Bader
@online{bader:20200715:defective:3a3721f, author = {Johannes Bader}, title = {{The Defective Domain Generation Algorithm of BazarBackdoor}}, date = {2020-07-15}, organization = {Johannes Bader's Blog}, url = {https://johannesbader.ch/blog/the-buggy-dga-of-bazarbackdoor/}, language = {English}, urldate = {2020-07-15} } The Defective Domain Generation Algorithm of BazarBackdoor
BazarBackdoor
2020-07-14Johannes Bader's BlogJohannes Bader
@online{bader:20200714:domain:51498ab, author = {Johannes Bader}, title = {{The Domain Generation Algorithm of BazarBackdoor}}, date = {2020-07-14}, organization = {Johannes Bader's Blog}, url = {https://johannesbader.ch/blog/the-dga-of-bazarbackdoor/}, language = {English}, urldate = {2020-07-15} } The Domain Generation Algorithm of BazarBackdoor
BazarBackdoor
2020-06-02Fox-ITNikolaos Pantazopoulos, Stefano Antenucci, NCC RIFT
@online{pantazopoulos:20200602:indepth:f43e58f, author = {Nikolaos Pantazopoulos and Stefano Antenucci and NCC RIFT}, title = {{In-depth analysis of the new Team9 malware family}}, date = {2020-06-02}, organization = {Fox-IT}, url = {https://blog.fox-it.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/}, language = {English}, urldate = {2020-06-03} } In-depth analysis of the new Team9 malware family
BazarBackdoor
2020-06-02NCC GroupNikolaos Pantazopoulos, Stefano Antenucci
@online{pantazopoulos:20200602:indepth:bc09c9f, author = {Nikolaos Pantazopoulos and Stefano Antenucci}, title = {{In-depth analysis of the new Team9 malware family}}, date = {2020-06-02}, organization = {NCC Group}, url = {https://research.nccgroup.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/}, language = {English}, urldate = {2020-06-03} } In-depth analysis of the new Team9 malware family
BazarBackdoor
2020-05-19AlienLabsOfer Caspi
@online{caspi:20200519:trickbot:50c2a51, author = {Ofer Caspi}, title = {{TrickBot BazarLoader In-Depth}}, date = {2020-05-19}, organization = {AlienLabs}, url = {https://cybersecurity.att.com/blogs/labs-research/trickbot-bazarloader-in-depth}, language = {English}, urldate = {2020-05-20} } TrickBot BazarLoader In-Depth
Anchor BazarBackdoor TrickBot
2020-04-27Trend MicroTrend Micro
@online{micro:20200427:behind:da9ae72, author = {Trend Micro}, title = {{Group Behind TrickBot Spreads Fileless BazarBackdoor}}, date = {2020-04-27}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/group-behind-trickbot-spreads-fileless-bazarbackdoor}, language = {English}, urldate = {2020-05-02} } Group Behind TrickBot Spreads Fileless BazarBackdoor
BazarBackdoor
2020-04-24Vitali Kremez
@online{kremez:20200424:trickbot:3773039, author = {Vitali Kremez}, title = {{TrickBot "BazarBackdoor" Process Hollowing Injection Primer}}, date = {2020-04-24}, url = {https://www.vkremez.com/2020/04/lets-learn-trickbot-bazarbackdoor.html}, language = {English}, urldate = {2020-05-02} } TrickBot "BazarBackdoor" Process Hollowing Injection Primer
BazarBackdoor
2020-04-24Bleeping ComputerLawrence Abrams
@online{abrams:20200424:bazarbackdoor:86afc50, author = {Lawrence Abrams}, title = {{BazarBackdoor: TrickBot gang’s new stealthy network-hacking malware}}, date = {2020-04-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/bazarbackdoor-trickbot-gang-s-new-stealthy-network-hacking-malware/}, language = {English}, urldate = {2020-05-02} } BazarBackdoor: TrickBot gang’s new stealthy network-hacking malware
BazarBackdoor
Yara Rules
[TLP:WHITE] win_bazarbackdoor_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_bazarbackdoor_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 498bf0 488bea 4c8bf1 33db }
            // n = 4, score = 600
            //   498bf0               | dec                 eax
            //   488bea               | cwde                
            //   4c8bf1               | dec                 eax
            //   33db                 | mov                 dword ptr [esp + 0x20], eax

        $sequence_1 = { ff15???????? 85c0 780a 4898 }
            // n = 4, score = 600
            //   ff15????????         |                     
            //   85c0                 | dec                 eax
            //   780a                 | mov                 dword ptr [esp + 0x20], eax
            //   4898                 | test                eax, eax

        $sequence_2 = { 41b80f100000 488bce 4889442420 ff15???????? 85c0 }
            // n = 5, score = 600
            //   41b80f100000         | inc                 ecx
            //   488bce               | mov                 eax, 0x100f
            //   4889442420           | dec                 eax
            //   ff15????????         |                     
            //   85c0                 | mov                 ecx, esi

        $sequence_3 = { f6c108 741b 498b4d28 4885c9 }
            // n = 4, score = 500
            //   f6c108               | test                eax, eax
            //   741b                 | js                  0x16
            //   498b4d28             | dec                 ecx
            //   4885c9               | mov                 esi, eax

        $sequence_4 = { 7558 8b4120 2d20059319 83f802 774b 488b4130 4885c0 }
            // n = 7, score = 500
            //   7558                 | test                eax, eax
            //   8b4120               | js                  0xe
            //   2d20059319           | dec                 eax
            //   83f802               | mov                 ecx, esi
            //   774b                 | dec                 eax
            //   488b4130             | mov                 dword ptr [esp + 0x20], eax
            //   4885c0               | test                eax, eax

        $sequence_5 = { 4885c0 7408 488bd5 488bce ffd0 }
            // n = 5, score = 500
            //   4885c0               | mov                 eax, 0x100f
            //   7408                 | dec                 eax
            //   488bd5               | mov                 ecx, esi
            //   488bce               | dec                 eax
            //   ffd0                 | mov                 dword ptr [esp + 0x20], eax

        $sequence_6 = { 750a b82b000000 e9???????? 660f6f05???????? }
            // n = 4, score = 500
            //   750a                 | dec                 eax
            //   b82b000000           | mov                 ebp, edx
            //   e9????????           |                     
            //   660f6f05????????     |                     

        $sequence_7 = { f64408ec40 7566 e8???????? 8b0f 4d8bcf }
            // n = 5, score = 500
            //   f64408ec40           | js                  0x1a
            //   7566                 | dec                 eax
            //   e8????????           |                     
            //   8b0f                 | cwde                
            //   4d8bcf               | inc                 ecx

        $sequence_8 = { 7406 488b11 ff5210 ff15???????? }
            // n = 4, score = 400
            //   7406                 | lea                 edx, [ebp + eax + 0x79f]
            //   488b11               | dec                 eax
            //   ff5210               | mov                 dword ptr [esp + 0x28], eax
            //   ff15????????         |                     

        $sequence_9 = { 488d95a0070000 488d442470 41b80f100000 488bce }
            // n = 4, score = 400
            //   488d95a0070000       | js                  0x44
            //   488d442470           | inc                 ecx
            //   41b80f100000         | mov                 eax, 0x100f
            //   488bce               | dec                 eax

        $sequence_10 = { 48c1e108 4803c8 8bc1 488d94059f070000 }
            // n = 4, score = 400
            //   48c1e108             | js                  0x13
            //   4803c8               | dec                 eax
            //   8bc1                 | cwde                
            //   488d94059f070000     | dec                 eax

        $sequence_11 = { 4533c9 4889442428 488d95a0070000 488d442470 }
            // n = 4, score = 400
            //   4533c9               | mov                 ecx, esi
            //   4889442428           | dec                 eax
            //   488d95a0070000       | mov                 dword ptr [esp + 0x20], eax
            //   488d442470           | test                eax, eax

        $sequence_12 = { 488d9590050000 488bce ff15???????? 85c0 }
            // n = 4, score = 400
            //   488d9590050000       | dec                 eax
            //   488bce               | mov                 ecx, esi
            //   ff15????????         |                     
            //   85c0                 | dec                 eax

        $sequence_13 = { ff15???????? 3d33270000 7519 8b0f }
            // n = 4, score = 300
            //   ff15????????         |                     
            //   3d33270000           | mov                 dword ptr [esp + 0x20], eax
            //   7519                 | test                eax, eax
            //   8b0f                 | dec                 eax

        $sequence_14 = { 0fb70f ff15???????? 0fb74f02 0fb7d8 ff15???????? }
            // n = 5, score = 300
            //   0fb70f               | mov                 ecx, esi
            //   ff15????????         |                     
            //   0fb74f02             | dec                 eax
            //   0fb7d8               | mov                 dword ptr [esp + 0x20], eax
            //   ff15????????         |                     

        $sequence_15 = { b9bb010000 663bc1 7404 a801 }
            // n = 4, score = 300
            //   b9bb010000           | mov                 eax, 0x100f
            //   663bc1               | dec                 eax
            //   7404                 | mov                 ecx, esi
            //   a801                 | dec                 eax

        $sequence_16 = { 3d12030900 7407 33c0 e9???????? }
            // n = 4, score = 300
            //   3d12030900           | dec                 eax
            //   7407                 | mov                 dword ptr [esp + 0x20], eax
            //   33c0                 | test                eax, eax
            //   e9????????           |                     

        $sequence_17 = { c3 0fb74c0818 b80b010000 663bc8 }
            // n = 4, score = 300
            //   c3                   | dec                 eax
            //   0fb74c0818           | cwde                
            //   b80b010000           | dec                 eax
            //   663bc8               | mov                 ecx, esi

        $sequence_18 = { ff15???????? 6683f808 7404 33c0 }
            // n = 4, score = 300
            //   ff15????????         |                     
            //   6683f808             | js                  0x68
            //   7404                 | inc                 ecx
            //   33c0                 | mov                 eax, 0x100f

        $sequence_19 = { ba08000000 ff15???????? 4c8bf8 4885c0 }
            // n = 4, score = 300
            //   ba08000000           | inc                 ecx
            //   ff15????????         |                     
            //   4c8bf8               | mov                 eax, 0x100f
            //   4885c0               | dec                 eax

        $sequence_20 = { 0fb7d8 ff15???????? 0fb74f08 440fb7e8 ff15???????? }
            // n = 5, score = 300
            //   0fb7d8               | inc                 ecx
            //   ff15????????         |                     
            //   0fb74f08             | mov                 eax, 0x100f
            //   440fb7e8             | dec                 eax
            //   ff15????????         |                     

        $sequence_21 = { 4c89742440 4c89742438 4489742430 4c89742428 }
            // n = 4, score = 300
            //   4c89742440           | inc                 ecx
            //   4c89742438           | mov                 eax, 0x100f
            //   4489742430           | dec                 eax
            //   4c89742428           | mov                 ecx, esi

        $sequence_22 = { b9100e0000 3bc1 0f4fc1 99 2bc2 }
            // n = 5, score = 300
            //   b9100e0000           | dec                 eax
            //   3bc1                 | cwde                
            //   0f4fc1               | dec                 ecx
            //   99                   | mov                 esi, eax
            //   2bc2                 | dec                 eax

        $sequence_23 = { 8bf0 85f6 745c 57 8d450c 50 ff7508 }
            // n = 7, score = 200
            //   8bf0                 | inc                 ebp
            //   85f6                 | xor                 ecx, ecx
            //   745c                 | dec                 eax
            //   57                   | mov                 dword ptr [esp + 0x28], eax
            //   8d450c               | dec                 eax
            //   50                   | lea                 edx, [ebp + 0x7a0]
            //   ff7508               | dec                 eax

        $sequence_24 = { 0fb70d???????? 83c40c 8d4101 51 66a3???????? }
            // n = 5, score = 200
            //   0fb70d????????       |                     
            //   83c40c               | dec                 eax
            //   8d4101               | cwde                
            //   51                   | inc                 ecx
            //   66a3????????         |                     

        $sequence_25 = { 8bca c1f918 0fb6c9 51 8bca c1f910 0fb6c1 }
            // n = 7, score = 200
            //   8bca                 | inc                 ecx
            //   c1f918               | mov                 eax, 0x100f
            //   0fb6c9               | dec                 eax
            //   51                   | mov                 ecx, esi
            //   8bca                 | dec                 eax
            //   c1f910               | mov                 dword ptr [esp + 0x20], eax
            //   0fb6c1               | dec                 eax

        $sequence_26 = { 418bcd 413bcd 7432 413bce 732d }
            // n = 5, score = 200
            //   418bcd               | mov                 dword ptr [esp + 0x20], eax
            //   413bcd               | test                eax, eax
            //   7432                 | js                  0x42
            //   413bce               | inc                 ecx
            //   732d                 | mov                 eax, 0x100f

        $sequence_27 = { 6800300000 6a40 ff15???????? 8bf0 }
            // n = 4, score = 200
            //   6800300000           | inc                 ebp
            //   6a40                 | xor                 ecx, ecx
            //   ff15????????         |                     
            //   8bf0                 | dec                 eax

        $sequence_28 = { 2ac2 fec8 88041a 8bd1 41 }
            // n = 5, score = 200
            //   2ac2                 | dec                 eax
            //   fec8                 | lea                 eax, [esp + 0x70]
            //   88041a               | inc                 ecx
            //   8bd1                 | mov                 eax, 0x100f
            //   41                   | dec                 eax

        $sequence_29 = { 3bcf 72e5 53 8b1d???????? }
            // n = 4, score = 200
            //   3bcf                 | mov                 ecx, esi
            //   72e5                 | dec                 eax
            //   53                   | mov                 dword ptr [esp + 0x20], eax
            //   8b1d????????         |                     

        $sequence_30 = { 8bd9 53 6a02 ff15???????? }
            // n = 4, score = 200
            //   8bd9                 | mov                 dword ptr [esp + 0x20], eax
            //   53                   | test                eax, eax
            //   6a02                 | js                  0x7d
            //   ff15????????         |                     

        $sequence_31 = { 84c0 741d 664489647c30 663bcd 7406 6683f941 7503 }
            // n = 7, score = 200
            //   84c0                 | dec                 eax
            //   741d                 | mov                 dword ptr [esp + 0x20], eax
            //   664489647c30         | test                eax, eax
            //   663bcd               | js                  0x36
            //   7406                 | dec                 eax
            //   6683f941             | mov                 ecx, esi
            //   7503                 | dec                 eax

        $sequence_32 = { 3b0e 7510 83c204 83c604 83ef04 73ef }
            // n = 6, score = 200
            //   3b0e                 | mov                 eax, 0x100f
            //   7510                 | dec                 eax
            //   83c204               | mov                 ecx, esi
            //   83c604               | dec                 eax
            //   83ef04               | mov                 dword ptr [esp + 0x20], eax
            //   73ef                 | test                eax, eax

        $sequence_33 = { 8d4c2418 e8???????? 85c0 740d e8???????? }
            // n = 5, score = 100
            //   8d4c2418             | mov                 esi, ecx
            //   e8????????           |                     
            //   85c0                 | xor                 ebx, ebx
            //   740d                 | dec                 esp
            //   e8????????           |                     

        $sequence_34 = { c745f90b0b4903 66c745fd0b0b 8bc3 885dff }
            // n = 4, score = 100
            //   c745f90b0b4903       | mov                 esi, eax
            //   66c745fd0b0b         | dec                 eax
            //   8bc3                 | mov                 ebp, edx
            //   885dff               | dec                 esp

    condition:
        7 of them and filesize < 495616
}
Download all Yara Rules