The malware identified first as Anchor. The anchor is a sophisticated backdoor that served as a module to a subset of TrickBot installations. Operating since August 2018 it is not delivered to everybody, but the contrary is delivered only to high-profile targets. Since its C2 communication scheme is very similar to the one implemented in the early TrickBot, multiple experts believe it could be attributed to the same authors. Due to similarities in code and usage of the two different malware families in the same intrusions. In 2020 the Bazar malware family entered and again many associated it with the same group behind Trickbot. Below are the latest indicators of compromise.
Credits : Research by ExecuteMalware
Indicators of Compromise
THREAT IDENTIFICATION: BAZARCALL
SENDER EMAILS
info@imedservice [.]net
marcoaurelio3351@ibest [.]com [.]br
qysedohofe@itfix [.]vn
tobolaja@gabrieljuliano [.]com [.]br
zojenoxogi@tropicana [.]st
SUBJECTS
Do you want to extend your free trial KRB44272035?
Thank you for using your free trial BCS87227489 [.] Time to move on!
Want to extend your free trial BCS19037460?
Want to extend your free trial BCS26389287?
Your free trial BCS72129127 is about to end!
Your free trial KRB51243021 is about to end!
LURE PHONE NUMBER
1 (323) 672 3498
MALDOC DOWNLOAD URLS
https://bluecartservice [.]com/unsubscribe [.]html
https://icartservice [.]org/unsubscribe [.]html
https://imedservice [.]org/unsubscribe [.]html
https://imerservice [.]net/unsubscribe [.]html
https://merservice [.]org/unsubscribe [.]html
https://bluecartservice [.]com/request [.]php
https://icartservice [.]org/request [.]php
https://imedservice [.]org/request [.]php
https://imerservice [.]net/request [.]php
https://merservice [.]org/request [.]php
bluecartservice [.]com
icartservice [.]org
imedservice [.]org
imerservice [.]net
merservice [.]org
MALDOC FILE HASHES
subscription_1616531528 [.]xlsb
60080063f20e5da0fcc38ede4407e3c6
subscription_1616531520 [.]xlsb
6ede5f75892226294dd96f001a617adb
subscription_1616531536 [.]xlsb
8a4dd9362277f1b93c3200133ad9baf0
subscription_1616531509 [.]xlsb
b7457a7bdd1c3b5fc36a07893301c525
subscription_1616531591 [.]xlsb
f37d57ac3f94710fcd4f7f1246b681a2
PAYLOAD DOWNLOAD URL
First a post to:
http://pwrpro [.]xyz/campo/t/t
Then downloads:
http://aras [.]iuc [.]ac/wp-content/plugins/wordpress-seo/css/dist/gerte523d [.]exe
PAYLOAD FILE HASH
gerte523d [.]exe
98aca6c94ef680b24885d1462ccc36af
ADDITIONAL/C2 TRAFFIC
https://52 [.]90 [.]97 [.]160
ADDITIONAL FILES
I also found these files in \Users\public:
42237 [.]j56
284f430f7d1a51630e63527ba04cb831
42237 [.]xlsb
284f430f7d1a51630e63527ba04cb831
42237 [.]h5
c041f13b892c73c76ef4fcbba60b00b5
All 3 have MZ headers
[.]j56 and [.]xlsb have the same file hash
SUPPORTING EVIDENCE
https://urlhaus [.]abuse [.]ch/browse [.]php?search=98aca6c94ef680b24885d1462ccc36af