The malware identified first as Anchor. The anchor is a sophisticated backdoor that served as a module to a subset of TrickBot installations. Operating since August 2018 it is not delivered to everybody, but the contrary is delivered only to high-profile targets. Since its C2 communication scheme is very similar to the one implemented in the early TrickBot, multiple experts believe it could be attributed to the same authors. Due to similarities in code and usage of the two different malware families in the same intrusions. In 2020 the Bazar malware family entered and again many associated it with the same group behind Trickbot. Below are the latest indicators of compromise.
Credits : Research by ExecuteMalware
Indicators of Compromise
Date : 20/03/2021
THREAT IDENTIFICATION: BAZARCALL
SENDER EMAILS
info@icartservice [.]net
helpdesk@rr [.]unicornfacial [.]com
SUBJECTS
Want to extend your free trial KRM50267720B?
Want to extend your free trial RMN57030360?
Want to extend your free trial RMN75256851?
Your free trial KRM92920945 is about to end!
Your free trial RMN19210127 has come to end!
LURE PHONE NUMBER
1 (213) 261 0445
MALDOC DOWNLOAD URLS
https://icartservice [.]net/unsubscribe [.]html
https://imedservice [.]net/unsubscribe [.]html
MALDOC FILE HASHES
subscription_1616187055 [.]xlsb
7867ebc2414ca337b6a8213031e0c422
subscription_1616191079 [.]xlsb
a21b2b890883d7f4219c98a5b7f25984
subscription_1616187039 [.]xlsb
d17e780a23c19a5ce5c2a0d4abc19b55
subscription_1616191046 [.]xlsb
e91481deccd1adac7a7587ebaaa76d3c
subscription_1616187823 [.]xlsb
ff2b34767ab01242968b759d3b93161a
PAYLOAD DOWNLOAD URL
First is a POST to:
http://call2 [.]xyz/campo/j1/j1
Then:
http://call2 [.]xyz/uploads/files/ss [.]exe
PAYLOAD FILE HASH
ss [.]exe
91ee2afefdf066eae3aead061a8075ed
Renamed to:
klga [.]exe
91ee2afefdf066eae3aead061a8075ed