A new malware strain has been detected in the wild, and researchers believe it could be the work of the group responsible for TrickBot.
The Cybereason Nocturnus threat research team has announced it has been tracking a new malware loader called Bazar since April, which targets healthcare, IT, manufacturing, logistics and professional services sectors.
The loader is being distributed through email, primarily in Europe and the United States. According to Cybereason, Bazar is delivered through an infection chain very much like the one used for TrickBot, reusing known domains, revoked certificates and following a very similar decryption routine.
The loader’s main purpose is to deliver secondary payloads - in this particular instance, post-exploitation framework CobaltStrike.
Given multiple different versions of the loader have been identified, Cybereason believes the group behind the malware is actively supporting and updating it.
“Based on our investigation, Cybereason estimates that the new malware family is the latest sophisticated tool in TrickBot gang’s arsenal, that so far has been selectively observed on a handful of high-value targets,” wrote Assaf Dahan, Cybereason researcher.
“The Bazar malware is focused on evasion, stealth, and persistence. The malware authors are actively testing a few versions of their malware, trying to obfuscate the code as much as possible, and hiding the final payload while executing it in the context of another process. To further evade detection, the Bazar loader and backdoor use a different network call back scheme from previously seen TrickBot-related malware."
“Post-infection, the malware gives threat actors a variety of command and code execution options, along with built-in file upload and self-deletion capabilities. This variety allows attackers to be dynamic while exfiltrating data, installing another payload on the targeted machine, or spreading further on the network. In general, having more options ensures the threat actors can adjust to changes in their goals or victim’s environment,” he added.
Cybereason believes Bazar is still in its infancy, but that it could represent a "formidable" threat once fully evolved.