The malware identified first as Anchor. The anchor is a sophisticated backdoor that served as a module to a subset of TrickBot installations. Operating since August 2018 it is not delivered to everybody, but the contrary is delivered only to high-profile targets. Since its C2 communication scheme is very similar to the one implemented in the early TrickBot, multiple experts believe it could be attributed to the same authors. Due to similarities in code and usage of the two different malware families in the same intrusions. In 2020 the Bazar malware family entered and again many associated it with the same group behind Trickbot. Below are the latest indicators of compromise.
Credits : Research by ExecuteMalware Indicators of Compromise
THREAT IDENTIFICATION: BAZAR CALL / BAZAR LOADER SENDER EMAILS ad@servicei [.]com icart@admicart [.]us icart@mailcart [.]com icart@myicart [.]com icartinfo@icart [.]fr icartinfo@icartsoc [.]com info2@gmail [.]com info@icartservice [.]com job@xz [.]celticwindmilltrucking [.]com mail@icartcom [.]org no-reply@sa [.]cityofblum [.]org seo@mailcart [.]com stevejoe36@yahoo [.]com uk@icartservice [.]org us@icart [.]fr user@icartservices [.]info world@icartko [.]com SUBJECTS Do you want to extend your free period ###########? Free trial period for ############ will end in 3 days Free trial period for ############ will end in three days Thank you for using your free period ########### [.] Time to move on! Your free period ########### is about to be over! Your free period ########### is about to end! Your free period ########### is almost over! Your free period ########### is going to end! Your free trial ########### is about to end! Your free trial ########### is going to end! Your free trial period ########### is almost finished Your free trial period ########### is almost over! LURE PHONE NUMBER 1 (213) 401 9021 1 (657) 220 1695 MALDOC DOWNLOAD URLS getmers [.]us https://gtmers [.]xyz/unsubscribe [.]html Result = 404 gobcs [.]us https://gobcss [.]xyz/unsubscribe [.]html Result = [.]xlsb geticart [.]us https://igetcart [.]xyz/unsubscribe [.]html Result = [.]xlsb https://goimed [.]us/ https://goimed [.]us/unsubscribe [.]html Result = 404 buyimers [.]us https://buymers [.]xyz/unsubscribe [.]html Result = [.]xlsb getmers [.]us gobcs [.]us geticart [.]us goimed [.]us buyimers [.]us MALDOC (XLSB) FILE HASHES 562f79b140956396a2565ceb517bd4c3 5fd381f999d95ce87bd371855c12b918 61f088075376c04815f611dc0a60882e 687b33fe6d8101cd86f27754a04b38e9 aca3073d2fa419834bd1998806103dca fe9b3d6f7c68e6d2ac10aec454051267 PAYLOAD DOWNLOAD URLS http://about2 [.]xyz/campo/a/a1 http://about2 [.]xyz/uploads/files/rl103 [.]exe PAYLOAD FILE HASHES rl103 [.]exe 4bf479d0fcb081c8ab68c41d848d593d renamed to: fjlq [.]exe 4bf479d0fcb081c8ab68c41d848d593d ADDITIONAL TRAFFIC https://18 [.]223 [.]206 [.]249 https://3 [.]86 [.]82 [.]29 ADDITIONAL FILE HASHES FROM PAYLOAD DOMAIN yer5e [.]exe fae1cf371d316ddd6918efda8b993f72 rety5r2 [.]exe 88df8e94cd1738d631974c9aff361c8f ret5er [.]exe 68defeb5cbf90fac11e4db64d2e39ab5