November 18, 2021

What is Bazar Loader and How to Prepare?

By Rotem Shemesh
Threat AnalysisDatto Managed SOC

What is Bazar Loader?

Bazar Loader is a fileless attack that downloads through the backdoor allowing attackers to install additional malware, often used for ransomware attacks. Since its inception in April 2020, Bazar Loader has attacked a wide variety of organizations in North America and Europe. The common assumption is that Bazar Loader was developed by a group of hackers known as Trickbot.

How Bazar Loader works:

The delivery method and course of the attack

In this post, we will give an example of a recent Bazar Loader attack that we captured and will analyze it, pointing out typical Bazar Loader modes of action. In this specific example, the attack was sent to an aviation company. However, similar attacks target diverse industries and organizations of different sizes and geographical locations.

Bazar Loader typically exploits existing “email” correspondences. It would “reply” to a real email thread with malicious content while using social engineering tricks to look legitimate and lure the victim.

In many cases, the text in the email subject line and body uses a sense of urgency and entices the victim to open the attachment without thinking. Here is an example:

Usually, the file attached to the email is a ZIP file that requires a password. The password itself is indicated in the body of the email. From the attacker’s perspective, the reason for using a password-protected file is to make it harder for security solutions to scan the file. A human, on the other hand, can easily open it as the password is provided in the email itself.

Opening the ZIP file leads to a Microsoft Word file. The .doc itself shows a message requesting to run a macro in order to view the file. This tempts the user to click ‘enable content’ in the top bar and allows the macro to run.

As seen in the above image, the file contains small text hidden in white—this is the content of the HTA file (HTML Application) which is saved on the computer. By default, files with an HTA extension run through mshta.exe—a tool that is already there and signed by Windows. Attackers use mshta.exe since it already exists in Windows and doesn’t raise suspicion. As such, it is very popular among hackers.

The HTA then runs and communicates with the bad actors’ server. The server returns the malicious DLL file, which would be written to the computer and run in the system.

At this point, the DLL, which is the backdoor, runs through regsvr32.exe and allows communication with a C2 server that sends and receives messages from the attacked computer allowing attackers to extract information from the victims or download another attack tool to the computer. Investigation of this communication showed that DNS requests come from various places in the world including the USA, Russia, Germany, and Panama.

Typical evasion and anti-debugging techniques

Bazar Loader uses quite a few tricks to evade security solutions and make it difficult for security researchers to expose it. Here are some examples that were used in the specific attack analyzed:

  • The http request to the server that returns the dll file to the infected computer is sent with a user agent written as if it were coming from a browser. This is a way to bypass security solutions when downloading the malicious file by communicating with the attacker’s server. Using this technique could make the communications look legitimate.
  • Running code before the traditional entry point. Debugging software and security researchers usually start investigating files from the traditional entry point. Therefore, pieces of code that run before this entry point can be easily missed. Researchers are not likely to notice it unless they adjusted the debugger’s settings beforehand or until after the machine is infected.
  • The malicious backdoor file contains a CPU Feature Information (cpuid) test in order to verify that it reached a real computer rather than a virtual machine. By doing that, it can either prevent the malware from running or change the way it runs in order to evade the sandbox. It will then run the malware as planned when reaching the end-point.

In conclusion, Bazar Loader attacks use an interesting mix of techniques—from social engineering, through hiding the malicious file behind a password-protected ZIP all the way to evasion techniques, allowing it to bypass advanced protection solutions as well as security researchers.

How to defend against Bazar Loader?

Bazar Loader is becoming increasingly popular and additional Bazar Loader variants are expected to emerge allowing it to evade traditional security solutions and harm organizations. Here are some tips to help you beware of this attack and know when to think twice before clicking:

  • Is this really who it looks like? Do not fall into the trap of social engineering, even if the email came from someone you know or the thread looks familiar. If you did not expect the specific email, if it arrived at a strange time or if it contains any other suspicious feature, do not click any links or files attached to it.
  • A password-protected file should arouse suspicion. Hackers are aware that password-protected files are more complex for security solutions to scan and therefore use them frequently to send malicious content. In case you receive such a file (could be a ZIP, PDF, or any other file type) be suspicious and check carefully before clicking it. Is it likely that the sender will send you this type of file? Does it make sense for this file to be password-protected? Did you expect this email?
  • Use advanced protection solutions that do not take”shortcuts”. Most email protection solutions currently on the market rely on reputation or patterns and tend to “trust” reputable senders rather than thoroughly scan all emails that arrive from them. This is how these solutions avoid “unnecessary” scans of what is perceived as low-risk emails. As we already know, Bazar Loader usually takes advantage of existing email threads that are considered safe. As such, many email security solutions will not even scan these malicious emails. In the example described here, the email came from a trusted source and therefore would have easily bypassed security solutions that rely on reputation. To protect against Bazar Loader and other attacks using similar techniques, deploy an advanced threat protection solution that scans all emails before entering the organization, including all links as well as attachments, and which specializes in identifying the malicious part (as opposed to specializing in identifying patterns). Learn more about Datto SaaS Defense here.
  • Why use mshta.exe if you do not have to?! It is recommended to block the use of mshta.exe as much as possible throughout the organization since mshta.exe is the component that allows Bazar Loader to run the malicious file. Fortunately, in most cases, mshta.exe has no substantial use in day-to-day work so it’s better to have it neutralized.
  • What to do in case you were infected? You could identify a Bazar Loader attack by monitoring the DNS requests. Requests for domains ending with .bazar imply that the machine is infected. Blocking the domain at this point will deny the ransomware from sending out data or even encrypting the files.

For more on how Datto’s products can help you protect from ransomware, and Bazar Loader in particular, check out Datto SaaS Defense and Datto RMM.

Suggested Next Reads