BazaLoader Malware Hides in Bogus Movie-Streaming Site

BazaLoader Malware continues to find novel attack vectors in 2021, following on from call-center attacks covered earlier this year by SaferNet. BazaLoaders’ most recent offering comes in the form of a fake movie-streaming service called BravoMovies, with some questionable movies available. The site makes use of flashy graphics and interesting movie titles, but all that is available to download if BazaLoader

BazaLoader is a loader used to deploy ransomware or other malware types and steal sensitive data from victimized systems. Proofpoint has conducted the majority of research on BazaLoader, including with regards to the latest attack.

Multiple threat actors use the downloader, which is written in C++, to load malware such as Ryuk and Conti ransomware. Proofpoint researchers said they’re confident that there’s a “strong overlap” between the distribution and post-exploitation activity of BazaLoader and the threat actors behind The Trick malware, also known as Trickbot.

The BravoMovies campaign uses an elaborate infection chain that’s in keeping with BazaLoader affiliates, who coax their victims into jumping through several hoops to trigger the malware payloads. It starts with an email telling recipients that their credit cards will be charged unless they cancel their subscription to the service – a subscription that they never signed up for, of course.

Some of the subject headers used to bait the trap:

• Your trial period M0012064753012345 is going to be expired soon. Thankfully you made a decision to stick with us!
• Demo stage is expired! Your account #M0272028060812345 will be automatically transferred to premium plan!

The email includes a phone number for the customer service line. This directs to the call center that has live humans standing by, reading to participate in the scheme. The apparent purpose of the call is to cancel the victim’s subscription to the bogus movie site. The site directs those who fall for the con to instead download a boobytrapped Excel spreadsheet that will spring macros that download BazaLoader.

The fake movie-streaming service looks just like a legitimate movie and TV streaming service, complete with fake movie titles as a landing page. In fact, the threat actors jerry-rigged fake posters. “The threat actors used fake movie posters obtained from various open-source resources including an advertising agency, the creative social network Behance, and the book ‘How to Steal a Dog’”, researchers said.

Proofpoint researchers wrote that BravoMovies has the charade down pat. The fake movie-streaming service looks just like a legitimate movie and TV streaming service, complete with fake movie titles as a landing page. In fact, the threat actors jerry-rigged fake posters. “The threat actors used fake movie posters obtained from various open-source resources including an advertising agency, the creative social network Behance, and the book ‘How to Steal a Dog’”, researchers said.

The call-center operators tell their targets to visit the BravoMovies site, to pull up the Frequently Asked Questions page and to follow the directions to unsubscribe via the “Subscribtion” page. Next, they’ll be instructed to download an Excel Sheet.

The Excel sheet contains the macros that will download BazaLoader if enabled. Proofpoint researchers haven’t yet observed the second-stage payload in this campaign, they said.

Sherrod DeGrippo, senior director of threat research and detection for Proofpoint, stated that for now, the BazaLoader threat actors are the most active when it comes to using call centers as part of an attack chain. “We have also observed The Trick [also known as Trickbot] delivered by similar campaigns,” she said via email. “Phone-based threats like “tech support scams” have existed for a few years, but these threats are separate from what we’re seeing in our data. It’s a novel way of inserting a different threat vector into the attack chain.”

It’s relatively new activity for the BazaLoader threat actors, DeGrippo continued: She described the method an emerging threat that’s become more prevalent since January 2021.

Proofpoint researchers first observed the BravoMovies campaign earlier this month. They noted that its complicated nature is successful in a counterintuitive way. Namely, this campaign “demonstrates an inversely proportional relationship between successful infection rates and asking people to complete complicated steps – the more steps required by the user, the less likely they are to complete the attack chain,” they explained. “However, despite being counterintuitive, the techniques used by the threat actors in this, and similar, campaigns help bypass fully automated threat detection systems.”

Proofpoint is forecasting that the threat actors behind BazaLoader and Trickbot will keep using these carefully crafted techniques in the future.

 

BazarLoader Malware Analysis

BazarLoader has been analysed in depth by cybersecurity researchers at AT&T Cybersecurity department.

The BazarLoader authors have produced an advanced module, with a significant amount of obfuscation. The BazarLoader uses multiple routines to hide API calls and embedded strings, which are then decrypted and resolved at runtime.

Once executed, the loader will allocate memory to store and decrypt its shellcode, which will be allocated to a NUMA node for faster execution. After allocation and decryption, the next instructions will jump to the shellcode that will be executed on the heap.

Next, BazaLoader will try to communicate with .bazar domain C2 servers. Once the C2 has been established, the loader will try to inject its payload into a system process using the process hollowing technique (T1093), which will create a suspended thread, unmap the destination image from memory, allocate new memory in the target process, copy the shellcode into the target process, set the thread context, and resume the process.

The malware uses the Windows API “VirtualAllocExNuma” function to allocate memory for its shellcode to be executed. The “VirtualAllocExNuma” function is used to allocate memory on a NUMA node, which allows for faster execution. The implementation can be seen In Figure 1 below. It is interesting to note that the “VirtualAllocExNuma” function is not commonly used in process injection.

The BazarLoader authors have created dozens of decryption routines, and with almost each string including APIs, DLLs, and C2s there is a once per use unique decryption routine. The loader uses the same decryption technique described above to resolve the API calls it uses during execution.

For injection, the malware resolves APIs from the ntdll.dll after it loads from disk and checks that there are no inline hooks within its function, that could be created for example by AV software that tracks those API calls.

The load order of APIs called in the injection procedure is:

• CreateProcessA (CREATE_SUSPENDED | CREATE_NEW_CONSOLE)
• NtGetContextThread
• NtReadVirtualMemory
• NtUnmapViewOfSection
• VirtualAllocExA
• NtWriteVirtualMemory
• NtSetContextThread
• NtResumeThread

he obfuscated C2 servers are decrypted in the function shown below: