TA551 stopped sending IcedID sometime in June 2021 and began pushing Trickbot.
By July 2021, TA551 stopped sending Trickbot and began pushing BazarLoader (sometimes called BazaLoader). TA551 continues to push BazarLoader, and Cobalt Strike is often follow-up malware for these infections.
Today's diary reviews a TA551 BazarLoader infection followed by Cobalt Strike on Tuesday 2021-08-10.
From email to document
Examples of TA551 emails from Tuesday 2021-08-10 are not yet publicly available, but a recent example was submitted to VirusTotal from a wave last week on 2021-08-04. These emails have different passwords each day, and we often see different passwords for different emails during the same day. These emails spoof replies to previously valid emails, but they no longer include message text from the email chain. We only see subject lines and spoofed sending addresses from the previously valid emails.
Attachments are currently named request.zip or info.zip. Potential victims would open these password-protected zip archives on a vulnerable Windows host using the password supplied in the message text. The extracted document uses a template that tells potential victims to enable macros.
Kicking off an infection
On a vulnerable Windows host, a victim would enable macros on the extracted document. Using an example from 2021-08-10, the document dropped an HTA file in the same directory as the document. This HTA file contains HTML and script designed to retrieve a malicious DLL to infect a vulnerable Windows host with BazarLoader.
BazarLoader to Cobalt Strike
After the infected host retrieved a DLL for BazarLoader, HTTPS traffic began for Bazar Command and Control (C2) activity. A malicious DLL for Cobalt Strike was sent through Bazar C2 traffic, then HTTPS traffic to xagadi[.]com began over 23.106.223[.]174 for Cobalt Strike.
Cobalt Strike tunneling through HTTPS
In recent weeks, we've noticed HTTPS traffic acting as a tunnel for Cobalt Strike activity. Cobalt Stike URLs within this HTTPS traffic spoof commonly-used domains like bing.com or google.
Images below show decrypted HTTPS traffic from Any.Run's sandbox analysis of the Cobalt Strike binary found on our infected lab host. The pcap from this sandbox analysis has a decryption key, so we can see the actual URLs spoofing bing.com within HTTPS traffic to xagadi[.]com.
We started seeing this HTTPS tunneling from Cobalt Strike samples this month (August 2021), but it might have started earlier. Here's a similar sample of Cobalt Stike from Monday 2021-08-09. It generated the same type of activity: URLs spoofing google.es tunneled through HTTPS traffic to gojihu[.]com and yuxicu[.]com, originally reported here.
Indicators of Compromise (IOCs)
The following are indicators of compromise from the wave of TA551 (Shathak) seen on Tuesday 2021-08-10.
10 examples of TA551 docs with macros for BazarLoader:
SHA256 hash: 03abdfb1bec53a41e952b2ecadeb2ff2c6506564507e425524f929e1c31f4147
SHA256 hash: 2222d8bee780ea651a40648ebc226b8541fcf12e686aa5a92eb558e9ab50f108
SHA256 hash: 42a9d7b02d5f84a43f481c981cef6a3107b6fb94fa8a03e513e4b056d37c77f8
SHA256 hash: 561459674b21852e97b6ea096765e743cec0a8d41e698ec1c9cbee4065860c32
SHA256 hash: 628de18eb4d1d7a66a7da82fc8b6bb20084849d3abf82ab3242843f07882f29e
SHA256 hash: 63b3efe7c8fabbb2a40145b5895c8566c6d38989a36501c474f88ebe9b822633
SHA256 hash: 68ca31d0eab4fc980da110e4587466baa38bccd1553cb7b15bc73aee87947bc9
SHA256 hash: be11fbd281424569ace8deae52242d2bcd37dd731d5332b67bfdcbbfe4180e67
SHA256 hash: c5741adf2becca698d13c2e145aeb753b0f8a6d20ba20b5b56c521ca0dc07d87
SHA256 hash: c90988e865d589eca9b278eaa270edfbd4b07bde3abc3719685f439c737a15d3
At least 6 domains hosting a malicious DLL for BazarLoader:
SHA256 hashes for 10 examples of .hta files:
Location for the above .hta files:
SHA256 hashes for 10 examples of BazarLoader DLL files:
SHA256 hash: 029b714502283599a5efb86d41c48fd46751ab727b707bde620e517ec3aa3c39
SHA256 hash: 612f74d0a1f2f90a5a4ae11889755ea68656967cf0401e15d9c375ddcfb1d9e7
SHA256 hash: 1f0f521ca8586846c9623f7bdbefbbbc84cec351ac3925dc66e8c59e44cb1713
SHA256 hash: 3638e918a3f0dfa6a610bcf906e6bd2413be02621154800fc18a0dd15d43f142
SHA256 hash: 36d4159d7d413fce963687f89ec4aec7ee8ab6fba05697e0ba0634db36a673a8
SHA256 hash: 41ee1d7254be06b34250d38fc6d0406a5febb22187e14fd50511e39069091391
SHA256 hash: 5590123543c7e78af3c7911466b6c4147f1b39928f648a252132baf06f2b1153
SHA256 hash: 6ba18d4835c77ceb9dad64b870bb3becb041017c2ef59ffd417d9bcedbd1bfe5
SHA256 hash: 92f08770e9d9c86ff5dc8384ca46a0bf70e407bebd4d3d5aaf5dcbcad05791d8
SHA256 hash: f4147b15de09f117235fa765c9796d6ff424f703d34acdbfcf2d1177b0f2df1a
Run method for the above DLL files:
Cobalt Strike binary from this infection:
SHA256 hash: 8438bfbb9c978de4f342a3ed19551f735343a9c1ed0c8610a332a83918cb5985
Bazar C2 traffic:
Cobalt Strike HTTPS tunnel:
URLs with spoofed domain used in HTTPS tunnel to xagadi[.]com:
For the past two months or so, I've seen more BazarLoader being pushed than ever before. BazarLoader is currently sent through at least three different campaigns:
BazarLoader is commonly followed by Cobalt Strike when an infected host is part of an Active Directory (AD) environment. These infections reportedly deliver ransomware as a final payload in real-world environments (here is one such example).
But decent spam filters and best security practices can help you avoid BazarLoader. Default security settings in Windows 10 and Microsoft Office 2019 should prevent these types of infections from happening.
However, it's a "cat-and-mouse" game. Malware developers create new ways to circumvent security measures, while vendors update their software, applications, and endpoint protection to address these new developments. Furthermore, mass-distribution methods like malspam remain cheap and profitable for cyber criminals.
Malware samples from this wave of TA551 and pcaps from the associated traffic can be found at here.
Aug 11th 2021
|Thread locked Subscribe||
Aug 11th 2021
1 month ago
Hello, thank you for the detailed information you give. Really appreciate it!
Aug 11th 2021
1 month ago
Thanks for this very useful analysis!
A colleague's Mac was infected with this Trojan recently, after she opened "report.zip" in an e-mail with the same text, yielding a password protected Word file with a similar name, and unfortunately assented to the Word dialog to enable macros.
The offending zip file and Word document were not detected by Cisco AMP for EndPoints (active on the computer) or by Malwarebytes. We notified Cisco, and it is now detected by their scanner.
A cybersecurity professional at our institution ran it in their sandbox and found that it crashed in current versions of Office. However, he could not tell us whether there would be any risk to an infected Mac (he guesses not).
Do you have any information that would speak to that?
I have not included specifics of the Trojan in the event that the actor(s) who promulgate it might be able to identify the Mac from the SHA hash, etc, and launch some sort of reprisal. I can convey these details confidentially, so long as they are not posted to your website.
Aug 16th 2021
1 month ago
Thanks for the comment. The malware binary retrieved by the Word document's macro is Windows-specific, so it wouldn't be able to run on macOS. You shouldn't have anything to worry about if the Word document was run on a mac or macbook, as long as Windows isn't involved.
Aug 16th 2021
1 month ago