Goal: Review the latest stealthy TrickBot group backdoor dubbed as “BazarBackdoor” as well as its process injection methodology approach.
Source:#Malware @googledocs— панкак3 (@pancak3lullz) April 20, 2020
[email protected] via @SendGrid
Re: <name>, your report
hxxps://www.ruths-brownies.com/PreviewReport.DOC.exe
a9952f532a7141910b2261394a52e6dc
Multiple DNS
> bestgame.bazar
> forgame.bazar
> IP connections: https://t.co/bhdN0n4Fqu pic.twitter.com/leZb64pfFc
Crypted Loader SHA-256: 1e123a6c5d65084ca6ea78a26ec4bebcfc4800642fec480d1ceeafb1cacaaa83
64-bit Backdoor SHA-256: 5974d938bc3bbfc69f68c979a6dc9c412970fc527500735385c33377ab30373a
I. BazarBackdoor: Background & Executive Summary
II. BazarLoader: Process Hollowing Methodology
III. BazarBackdoor: Overview
IV. Yara Signature: BazarBackdoor Payload
V. Mitre ATT&CK Framework: BazarBackdoor Payload
VI. Network JA3 Signature: BazarLoader Malware
BazarBackdoor is the new stealthy covert malware leveraged for high-value targets part of the TrickBot group toolkit arsenal. For more overall information, please read the BleepingComputer report from Lawrence Abrams related to this malware functionality and discovery.
The malware was signed “VB CORPORATE PTY. LTD.” as DigiCert
The TrickBot backdoor is a lightweight malware aimed to evade detection and be lightweight. It leverages a known TrickBot group crypter with the notable VirtualAllocExNuma API and RC4 decoder sequence.
The TrickBot Anchor project and this backdoor both utilize the same Emercoin DNS for the server communication via /api/ request for the payload with architecture configuration (for example, /api/86 and /api/88). By and large, Emercoin DNS is a legitimate provider that leveraged for .bazar domain resolution.
The goal of this fileless loader and backdoor is not to elevate privileges but to avoid any detection possible staying silently and only loading extra functionality as extra features. In case they get flagged as malicious, the bot would still remain in the system.
The malware combination consists of two parts: loader and bot. The bot goal is to execute binaries, scripts, and modules, kill processes and remove itself from the compromised machine.
II. BazarLoader: Process Hollowing Methodology
The malware utilizes the process hollowing injection approach injecting the core backdoor into svchost.exe via the following sequence CreateProcessA(0, pDestCmdLine, 0, 0, 0, CREATE_SUSPENDED, 0, 0, &startupInfo, &processInfo) -> Find PEB -> Locate Remote Image
NtUnmapViewOfSection -> VirtualAllocEx -> VirtualAllocEx(processInfo.hProcess, peb.ImageBaseAddress,
…,MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE) -> WriteProcessMemory () -> WriteProcessMemory (SourceImage.NumberOfSections)
The loader adds itself to \Software\Microsoft\Windows\CurrentVersion\Run and uses its process key for persistence.
The malware decryption routine is as follows:
const char *Encrypt_Decrypter()
{
…
BYTE key = key;
for (int i = 0; i < len; i++)
{
ptr[i] = ptr[i + 1] ^ key;
key++;
}
}
The backdoor goal is to execute binaries, scripts, and modules, kill processes and remove itself from the compromised machine.
V. Yara Signature: BazarBackdoor Payload
rule crime_win64_backdoor_bazarbackdoor1 {
meta:
description = “Detects BazarBackdoor injected 64-bit malware”
author = “@VK_Intel”
reference = “https://twitter.com/pancak3lullz/status/1252303608747565057”
tlp = “white”
date = “2020-04-24”
strings:
$str1 = “%id%”
$str2 = “%d”
$start = { 48 ?? ?? ?? ?? 57 48 83 ec 30 b9 01 00 00 00 e8 ?? ?? ?? ?? 84 c0 0f ?? ?? ?? ?? ?? 40 32 ff 40 ?? ?? ?? ?? e8 ?? ?? ?? ?? 8a d8 8b ?? ?? ?? ?? ?? 83 f9 01 0f ?? ?? ?? ?? ?? 85 c9 75 ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? 85 c0 74 ?? b8 ff 00 00 00 e9 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? eb ?? 40 b7 01 40 ?? ?? ?? ?? 8a cb e8 ?? ?? ?? ?? e8 ?? ?? ?? ?? 48 8b d8 48 ?? ?? ?? 74 ??}
$server = {40 53 48 83 ec 20 48 8b d9 e8 ?? ?? ?? ?? 85 c0 75 ?? 0f ?? ?? ?? ?? ?? ?? 66 83 f8 50 74 ?? b9 bb 01 00 00 66 3b c1 74 ?? a8 01 74 ?? 48 8b cb e8 ?? ?? ?? ?? 84 c0 75 ?? 48 8b cb e8 ?? ?? ?? ?? b8 f6 ff ff ff eb ?? 33 c0 48 83 c4 20 5b c3}
condition:
( uint16(0) == 0x5a4d and ( 3 of them ) ) or ( all of them )
}
The mapped Mitre ATT&CK Framework is as follows:
Mitre ATT&CK Framework:
- T1093 - Process Hollowing
- Signature - TransactedHollowing
- T1055 - Process Injection
- Signature - InjectionInterProcess
The hostnames used for the command-and-control servers are:
forgame.bazar
bestgame.bazar
thegame.bazar
newgame.bazar
portgame.bazar
Article Link: 1win México ᐈ Сasino en línea - sitio web oficial