The malware identified first as Anchor. The anchor is a sophisticated backdoor that served as a module to a subset of TrickBot installations. Operating since August 2018 it is not delivered to everybody, but the contrary is delivered only to high-profile targets. Since its C2 communication scheme is very similar to the one implemented in the early TrickBot, multiple experts believe it could be attributed to the same authors. Due to similarities in code and usage of the two different malware families in the same intrusions. In 2020 the Bazar malware family entered and again many associated it with the same group behind Trickbot. Below are the latest indicators of compromise.
Credits : Research by ExecuteMalware
Indicators of Compromise
THREAT IDENTIFICATION: BAZARCALL
SENDER EMAILS
info@icartservice [.]com
inform@icartservice [.]com
it@icartservice [.]com
SUBJECTS
Do you want to extend your free period ###########?
Do you want to extend your free trial ###########?
Free period for ############ will come to the end end in 3 days
Free trial period for ############ ends in three days
Free trial period for ############ will end in 3 days
Your free period ########### is about to end!
Your free trial ########### is about to end!
LURE PHONE NUMBER
Not available
MALDOC DOWNLOAD URLS
https://buyimers [.]us/unsubscribe [.]html
https://geticart [.]us/unsubscribe [.]html
https://getmers [.]us/unsubscribe [.]html
https://gobcs [.]us/unsubscribe [.]html
https://goimed [.]us/unsubscribe [.]html
buyimers [.]us
geticart [.]us
getmers [.]us
gobcs [.]us
goimed [.]us
MALDOC (XLSB) FILE HASHES
09740a9d5d1b3d09d64d22d019567784
1974d98db0e8867165b008f7c46404a1
5a8f6aa70fae15ba88c0c159c30f923d
cdd3aacf99acd2a4e339914c480a6afd
LURE PHONE NUMBERS
Unknown
PAYLOAD DOWNLOAD URLS
http://beauty1 [.]xyz/campo/l/l1
ADDITONAL PAYLOAD FILE HASHES
1163 [.]pk9
dd6cdec2609c165cc64b3bc22be5fe20
1163 [.]ph5
99bfec83b97bd216e06117c6468b19db
1163 [.]xlsb
99bfec83b97bd216e06117c6468b19db