{"id":90343,"date":"2021-09-16T14:19:41","date_gmt":"2021-09-16T08:49:41","guid":{"rendered":"https:\/\/blogs.quickheal.com\/?p=90343"},"modified":"2023-08-08T18:52:51","modified_gmt":"2023-08-08T13:22:51","slug":"what-you-need-to-know-about-the-bazarloader-malware","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/what-you-need-to-know-about-the-bazarloader-malware\/","title":{"rendered":"What you need to know about the BazarLoader Malware?"},"content":{"rendered":"

At the start of February 2021, Bazarloader malware was in the news about its mechanism of delivering the initial attack vector. It tricks a victim into connecting with a fake call where a threat actor asks to download malicious excel attachments from the portal to infect them. \u00a0We recently observed that its delivery mechanism is shifting to an older technique – popularly known as \u201cWordProcessingML,\u201d and now it delivers malicious attachments directly via email.<\/p>\n

What is WordProcessingML?<\/strong><\/h2>\n

WordProcessingML or Word 2003 XML Document is an XML-based format introduced in Microsoft Office 2003 as one of the formats that could be chosen in the “Save As” feature to save Word documents, though not the default format (e.g., DOC, a proprietary binary format). This is different from the “Microsoft Office Open XML File Format” introduced in Office 2007, which consists of a ZIP archive of various files, including XML. In contrast, WordProcessingML is a single uncompressed XML file. Later versions of MS Office are still capable of loading and saving WordProcessingML.<\/p>\n

Infection Chain:<\/strong><\/p>\n

\"\"<\/p>\n

Attack Chain<\/em><\/p>\n

The infection starts with a malspam having a Microsoft Word document (the older Word 2003 XML document). While the executing of the XML document file, it will automatically open the word application and run present macros.<\/p>\n

In the below fig, we can see the syntax for documents and macros.<\/p>\n

\"\"<\/p>\n

Fig.1- Original XML File<\/em><\/p>\n

 <\/p>\n

\"\"<\/p>\n

Fig.2- Document view to Victim<\/em><\/p>\n

In wordprocessingML file, attribute \u201c<w:name>\u201d in\u201d< w:binData>\u201d element contains \u201ceditdata.mso\u201d file that is base64 encoded ActiveMime object. ActiveMime is Zlib-compressed data starting at offset 0x32, which contains VBA macro and OLE object-related data.<\/p>\n

\"\"<\/p>\n

Fig.3- Steps to get OLE file<\/em><\/p>\n

The above highlighted OLE file is used to drop the HTA file on the victim\u2019s machine on the \u201cc:\\ProgramData\\\u201d location with the help of the command line.<\/p>\n

Adversaries also use text data with obfuscated \u201cy2nb\u201d in the original doc file to bypass AV solutions. By removing \u201cy2nb,\u201d we get base64 encoded data which contains the final URL to download malicious DLL payload. The below image shows the actual process.<\/p>\n

\"\"<\/p>\n

Fig.4- URL to download DLL<\/em><\/p>\n

These processes are done at run time by VBA macros present in the OLE file and HTA file \u201ciCoreBr.hta\u201d dropped at location \u201cc:\\ProgramData\\.\u201d The dropped file can be seen in fig 5.<\/p>\n

\"\"<\/p>\n

Fig.5- HTA file to download DLL<\/em><\/p>\n

Downloaded DLL is written on victim\u2019s public folder with name\u201dicoreBr.jpg<\/em>\u201d to confuse victim as shown in fig 6.<\/p>\n

\"\"<\/p>\n

Fig.6- Downloaded DLL as jpg<\/em><\/p>\n

This BazarLoader related DLL is used to download other modules of malware families such as Trickbot, Ryuk Ransomware, and Cobalt strike<\/a> activity.<\/p>\n

 <\/p>\n

Conclusion:<\/strong><\/p>\n

As the Bazarloader campaign is still active and changing its spreading mechanism, users should be careful while opening emails, documents sent by unknown senders and keep the AV updated. Quick Heal<\/a> customers are protected from these types of attacks at multiple detection levels.<\/p>\n

 <\/p>\n

IoCs:<\/strong><\/p>\n