Executive Summary

CYDERES, Cyber Defense and Response, is the security as a service division of Fishtech. This division was created to help organizations with 24/7 security operations through our award-winning managed detection and response offering. This article focuses on the day to day activities of a SOC Analyst.

Thursday Morning

Through the Missouri Innovation Campus I was provided with an opportunity to learn with a position as an intern in the CYDERES SOC. With the help of analysts and other CYDERES resources, I was able to recently apply some of the knowledge I have learned to a recent Bazar loader campaign. On September 24, 2020 I started off my day by grabbing a nitro cold brew from the break room before heading though the man trap that leads into the Security Operations Center. Using face recognition for the first door and my badge for the next, I headed to my desk. Once there, I looked at the Twitter feeds which are kept on the large display and noticed reports regarding a malspam campaign being linked to Bazarloader. Since I was working the abusebox, which is a service offered to clients in which suspicious emails are sent for analysis, I started to research on what the campaign looked like and noting any similarities to previously seen campaigns.

Figure 1: SOC in the Cyber Defense Center 

Thursday Afternoon

Later that day, CYDERES received multiple copies of emails being delivered to different customers with a close resemblance to the emails seen that morning. The first item that stands out is they all had the same two subjects, “Re: what time?” and “Re: debit confirmation”. The second item that stood out was that they all had the same sending email address, “mike_warner@parkshorebmw[.]com”, which appears to be a legitimate email for a BMW dealership in Vancouver that was likely compromised or spoofed. While the sender looked reputable, investigating the body of the email showed similar items to previously seen phishing campaigns that lead to credential harvesters.

Figure 2: Sample email 1

Figure 3: Sample email 2

I observed that the emails contained common spear-phishing (Mitre T1566.002) techniques which address the email to the target company, while claiming to be an outsource specialist. The email also contained a sense of urgency by discussing payroll information and setting a time where a reply is needed, then requesting the user download a PDF file.

The link in the email shows it was sent via Sendgrid and contains a masked URL that will redirect to the payload. This follows the trend reported by Brian Krebs on how Sendgrid is commonly used to send out malicious emails to evade detection. The link in the email leads to a Google Document which looks very similar to ones that have been linked to Emotet malspam campaigns.

Figure 4: Screenshot of the requested download pdf

The page contains a message that claims that Google has verified this page and calls it “safe”. However, this is added by the threat actors in an attempt to make the page look legitimate. The page is hosted via Google’s cloud services which means that this document could have been created by anyone, so it should not be trusted for employee information.

The link on the page was observed to download an EXE file even though the email and the website claim that the document should have been a PDF file.

Running the file command shows the following:

Figure 5: File command on suspicious “pdf” file

The downloaded binary had not yet been identified in Virustotal as malicious. The binary was then detonated in a sandbox environment but did not run in a Windows 10 32-bit environment. Switching to a Windows 10 64-bit sandbox, the sample loaded modules, but then after reading the GUID information it unloaded them. This appeared to be because the sample identified that it was in a VM or that it would not run on Windows 10. This is a common threat actor tactic used to try to avoid analysis which aligns with technique T1497 of the Mitre ATT&CK model.

Research on the PDB path from the binary led to a github page with a theory that the binary might run on a Windows 7 VM. The referenced Github page talks in detail on how to escalate privileges in Windows 7. After detonating the sample in a local Windows 7 virtual machine, it was found that the sample was generating domains ending in “.bazar”. Similar to Trickbot, this loader evades detection by abusing the trust of certificate authorities. This loader, however, uses EmerDNS domains for command and control due to the domains being uncensorable. According to the emercoin site:

Because of Emercoin’s secure and distributed blockchain the domain name records are completely decentralized and uncensorable and cannot be altered, revoked or suspended by any authority. Only a record’s owner can modify or transfer it to another owner, and a record’s owner is determined by whoever controls the private key to the associated payment address.

Figure 6: Screencapture of bazar dns domains in Wireshark

Performing OSINT review on the IP address, 92.242.40[.]137, resulted in a tweet by @JAMESWT_MHT listing this IP as “Bazarloader” signed by “Nordkod LLC”:

Figure 7: Tweet listing the ip as bazarloader

A look at the binary properties show the same signature listed on Twitter:

Figure 8: File signed as Nordkod LLC

The next steps were to follow customer specific playbooks to report and mitigate this campaign for our clients. For one customer, this included quarantining around 100 emails which had reached users but were mostly unread. Leveraging Chronicle, a search was made for any IOCs in the customer’s environment, which resulted in 0 hits. For a detailed analysis of Bazarloader, check out Cybereason’s article titled “A bazar of tricks: following team9’s development cycles”.

Leverage Fishtech’s Expertise

Analysts in the GSOC, Global Security Operations Center, provide 24×7 security monitoring, triage, and investigations across the entire security stack. From abuse box monitoring and human threat hunting to managed deception and network traffic analysis, CYDERES ultimately owns detection of threats in the client’s environment to be a force multiplier for in-house security capabilities. To learn more on GSOC or other services offered by Fishtech, fill out the form below, or check out the drop down menus at the top of the page.

References:

https://krebsonsecurity.com/2020/08/sendgrid-under-siege-from-hacked-accounts/
https://emercoin.com/en/documentation/blockchain-services/emerdns/emerdns-introduction
https://twitter.com/JAMESWT_MHT/status/1309469473833967616
https://github.com/pauldotknopf/WindowsSDK7-Samples/blob/master/com/uac/elevationsample/ElevationManager.cpp
https://attack.mitre.org/techniques/T1497/
https://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles

 

IOCs

 

Phishing Urls:
 hXXps://redacted[.]sendgrid[.]net/ls/click?upn=M5xslCDvln2rluMyU8n-2BYB72GKPBcd1eszomdHyZXrokEdzxNxkIDQobTMe2sMWmGk0T0fDgb82Scmnu0FhU33GfqxrVpZAf8fN
hXXps://docs[.]google[.]com/document/d/e/2PACX-1vSNRlZCfsXuh24McOcs7UlenV3L7e9W6BDiq48hHtm2odtzRVdXYWlU-t7Dryn_7ZqE4RVRuNFSlmqh/pub

 

Hash
sha256   3b6ba198625d8aa2359e9727951ac801c3f0521e5b8025e36eb98a78c752b89f
sha1      4e783aa0faa4a1a56d9e8b14c83b17f74bb8e31b
md5      62265048f49f6f22500f75ea45325603

 

Bazar Loader’s DGA implementation (snippet)
acfhklaehhkn[.]bazar
bdehkkbfghkm[.]bazar
aegikmagiiko[.]bazar
bdfhilbfhhin[.]bazar
afggilahigin[.]bazar
ccegilceggin[.]bazar
bdfijlbfhijn[.]bazar
cdfhjlcfhhjn[.]bazar
dcghjkdeihjm[.]bazar
cdeijlcfgijn[.]bazar
dcfgikdehgim[.]bazar
cdegjlcfggjn[.]bazar
bdfiikbfhiim[.]bazar
ceegilcgggin[.]bazar
bcehjlbeghjn[.]bazar
dfggikdhigim[.]bazar
dehijkdgjijm[.]bazar
cdehilcfghin[.]bazar
afgiilahiiin[.]bazar
bdggimbfigio[.]bazar
bceijlbegijn[.]bazar

 

 

 

IP Connections
193.183.98.66
51.254.25.115
95.174.65.241
192.71.245.208
94.16.114.254
151.80.222.79
195.10.195.195
176.126.70.119
92.242.40.137