The malware identified first as Anchor. The anchor is a sophisticated backdoor that served as a module to a subset of TrickBot installations. Operating since August 2018 it is not delivered to everybody, but the contrary is delivered only to high-profile targets. Since its C2 communication scheme is very similar to the one implemented in the early TrickBot, multiple experts believe it could be attributed to the same authors. Due to similarities in code and usage of the two different malware families in the same intrusions. In 2020 the Bazar malware family entered and again many associated it with the same group behind Trickbot. Below are the latest indicators of compromise.
Credits : Research by ExecuteMalware
Indicators of Compromise
THREAT IDENTIFICATION: BAZARCALL – [.]xlsb Edition
SENDER EMAILS
gmorpeth@bonitaspringsmb [.]com
info@icartservice [.]com
krishan@kingsafari [.]in
nadirrodrigues@ibest [.]com [.]br
site@icartservice [.]com
xohanikywu@dentaliglesias [.]com
SUBJECTS
Do you want to extend your free trial KMR00418116?
Do you want to extend your free trial KMR13605781?
Do you want to extend your free trial KMR28241534?
Do you want to extend your free trial KMR38657965?
Do you want to extend your free trial KMR47187437?
Do you want to extend your free trial KMR59049185?
Do you want to extend your free trial KMR87914354?
Thank you for using your free trial KMR28819573 [.] Time to move on!
Thank you for using your free trial KMR45337745 [.] Time to move on!
Thank you for using your free trial KMR46267140 [.] Time to move on!
Thank you for using your free trial KMR59828873 [.] Time to move on!
Thank you for using your free trial KMR59971971 [.] Time to move on!
Your free period KMR03984752 is going to end!
Your free period KMR08015658 is going to end!
Your free period KMR24280432 is going to end!
Your free period KMR56295629 is going to end!
Your free period KMR59244107 is going to end!
Your free period KMR83928445 is going to end!
Your free trial BCS18065350 has come to end!
Your free trial KJR21262654 is going to end!
Your free trial KMR08379642 is about to end!
Your free trial KMR32300989 is going to end!
Your free trial KMR54513846 is going to end!
Your free trial KMR69190965 is going to end!
Your free trial period BCS10146263 is almost over!
Your free trial period BCS72395253 is almost over!
Your free trial period KMR18215288 is almost over!
Your free trial period KMR69309458 is almost over!
Your free trial period KMR79233861 is almost over!
LURE PHONE NUMBER
1 (209) 554 3767
MALDOC DOWNLOAD URLS
https://bluecartservice [.]com/unsubscribe [.]html
https://icartservice [.]org/unsubscribe [.]html
https://imedservice [.]org/unsubscribe [.]html
https://imerservice [.]net/unsubscribe [.]html
https://merservice [.]org/unsubscribe [.]html
https://edurock [.]org/page-help-&-support-details [.]html
https://bluecartservice [.]com/request [.]php
https://icartservice [.]org/request [.]php
https://imedservice [.]org/request [.]php
https://imerservice [.]net/request [.]php
https://merservice [.]org/request [.]php
bluecartservice [.]com
edurock [.]org
icartservice [.]org
imedservice [.]org
imerservice [.]net
merservice [.]org
MALDOC FILE HASHES
subscription_1616701470 [.]xlsb
6deb0347177942b01645fb3eaffcaaa3
subscription_1616701458 [.]xlsb
98438a323332d7f284414705bfbd6c1d
subscription_1616701481 [.]xlsb
e99d785bb13f00307dba75071da7bddb
PAYLOAD DOWNLOAD URLS
http://whynt [.]xyz/campo/w/w
POSTs ping
then downloads from:
http://whynt [.]xyz/uploads/files/dl8x64 [.]exe
PAYLOAD FILE HASH
dl8x64 [.]exe
b5cb5ac79b76d8db06f631e4ab461074
ADDITIONAL/C2 TRAFFIC
https://3 [.]89 [.]160 [.]167
ADDITIONAL FILES
Additional files
1616183460
91ee2afefdf066eae3aead061a8075ed
Found in \Users\Public
12394 [.]xps
256bd88292afefc1a17a96970ff6bbfe
12394 [.]xlsb
256bd88292afefc1a17a96970ff6bbfe
12394 [.]fl5
5e61a7988375efe18897ff264b7c81b8
STRINGS RUNNING IN MEMORY
C:\project\kerbwe 8\Bin\x64\ReleaseDLL\degx64 [.]pdb
/studio/cut_the_crup
MALDOC FILE HASHES
subscription_1616701441 [.]doc
8f124c70da0662e24291511479162932
DFSLOADNG [.]CMD
06ff51c4f8f08ffd5d002fdc60c7e20d
Students11 [.]vbs
9f95caa013fecdebef5934e9291a1419
PAYLOAD FILE HASH
t12 [.]dll
75fabcbbb10bb8f5e518f3fe39f4833d
ADDITIONAL/C2 TRAFFIC
https://lokoloppo1 [.]com
185 [.]189 [.]151 [.]108:443
https://lokoloppo2 [.]com
185 [.]212 [.]47 [.]104:443