The malware identified first as Anchor. The anchor is a sophisticated backdoor that served as a module to a subset of TrickBot installations. Operating since August 2018 it is not delivered to everybody, but the contrary is delivered only to high-profile targets. Since its C2 communication scheme is very similar to the one implemented in the early TrickBot, multiple experts believe it could be attributed to the same authors. Due to similarities in code and usage of the two different malware families in the same intrusions. In 2020 the Bazar malware family entered and again many associated it with the same group behind Trickbot. Below are the latest indicators of compromise.
Credits : Research by ExecuteMalware
THREAT IDENTIFICATION: BAZARCALL
SENDER EMAILS
joeypovecsi@yahoo [.]com
no-reply@worldbookpoint [.]com
SUBJECTS
Your premium plan demo expires in 24 hours 0408########
Your current premium demo expires in 48 hours 0408########
Your current premium plan trial ends in 24 hours 0408########
Your current premium plan trial ends in 24 hours 0408########
Your premium demo expires in 3 days 0408#########
Your current premium plan trial ends in 24 hours 0408########
Your current premium trial ends in 48 hours 0408########
Your current premium trial expires in 3 days 0408########
LURE PHONE NUMBER
+1 901 584 0490
MALDOC LANDING PAGE URLS
https://bookpoint [.]us
https://bookspoint [.]us
https://pointbook [.]us
https://pointbooks [.]us
https://subsbookpoint [.]us
https://worldbookpoint [.]com
bookpoint [.]us
bookspoint [.]us
pointbook [.]us
pointbooks [.]us
subsbookpoint [.]us
worldbookpoint [.]com
MALDOC DOWNLOAD URLS
https://bokpoint [.]xyz/unsubscribe
https://bokspoint [.]xyz/unsubscribe
https://pointbok [.]xyz/unsubscribe
https://pointboks [.]xyz/unsubscribe
bokpoint [.]xyz
bokspoint [.]xyz
pointbok [.]xyz
pointboks [.]xyz
MALDOC (XLSB) FILE HASHES
713ff91d0faecdc317dbdb22cf30afe3
7c06f05b2d96542bc7a6997c5e3f4cb4
9d39f307b0d6276450038cca7568b2cc
a18c5031cb91caf0818448ec313773f5
dd0068e6af3b638e96b09a2e0ec6f051
PAYLOAD DOWNLOAD URLS
http://dance4 [.]xyz/campo/d8/d9
ADDITIONAL DROPPED FILES
14118 [.]doy
61f9ff7edf0a1ff6888e541124226553
14118 [.]xlsb
61f9ff7edf0a1ff6888e541124226553
14118 [.]biy
0d90eb265cfe49b20037673845bd0c3c
Credits : Research by ExecuteMalware
THREAT IDENTIFICATION: BAZARCALL
SENDER EMAILS
chefnamursi@yahoo [.]com
debrapsoadic1996@yahoo [.]com
no-reply@worldbookpoint [.]com
pulprecvira1984@yahoo [.]com
sararibat@aol [.]com
singhsmutunul80@yahoo [.]com
tinadolam@aol [.]com
veronicacongnoces1982@yahoo [.]com
SUBJECTS
Your current premium demo ends in 24 hours 0407#########
Your current premium plan demo comes to an end in 48 hours 0407#########
Your current premium plan demo expires in 24 hours 0407#########
Your current premium plan trial comes to an end in 48 hours 0407#########
Your current premium trial comes to an end in 24 hours 0407#########
Your current premium trial expires in 48 hours 0407#########
Your premium demo ends in 24 hours 0407#########
Your premium demo ends in 24 hours 0407#########
Your premium demo expires in 1 day 0407#########
Your premium plan demo comes to an end in 1 day 0407#########
Your premium plan demo ends in 24 hours 0407#########
Your premium plan demo ends in 24 hours 0407#########
Your premium plan demo ends in 3 days 0407#########
Your premium plan demo ends in 3 days 0407#########
Your premium trial comes to an end in 3 days 0407#########
LURE PHONE NUMBER
+1 929 224 5129
+1 901 584 0490
+1 816 307 4271
+1 909 741 1518
MALDOC LANDING PAGE URLS
https://bookpoint [.]us
https://bookspoint [.]us
https://pointbook [.]us
https://pointbooks [.]us
https://subsbookpoint [.]us
bookpoint [.]us
bookspoint [.]us
pointbook [.]us
pointbooks [.]us
subsbookpoint [.]us
MALDOC DOWNLOAD URLS
https://bokpoint [.]xyz/unsubscribe
https://bokspoint [.]xyz/unsubscribe
https://pointbok [.]xyz/unsubscribe
https://pointboks [.]xyz/unsubscribe (down)
bokpoint [.]xyz
bokspoint [.]xyz
pointbok [.]xyz
pointboks [.]xyz
MALDOC (XLSB) FILE HASHES
0cdbb13bee293bc76871ab81e019930e
8e1cdb7400d9743032e4a85721231519
d14a8f12b56c25e48bee497f91a4c4be
ea9ba57db7701e9d59284522367b7482
PAYLOAD DOWNLOAD URLS
http://basket2 [.]xyz/campo/u/u1