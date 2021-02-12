FortiGuard Labs Threat Research Report

Affected platforms: Microsoft Windows

Impacted parties: Windows Users

Impact: Control and Collect sensitive information from victim's device, as well as delivering other malware.

Severity level: Critical

FortiGuard Labs recently detected a suspicious email through the SPAM monitoring system that was designed to trick a victim into opening a web page to download an executable file. Additional research on this executable file found that it is a new variant of the Bazar malware.

My analysis of this variant is being published in two parts. In the first part of the analysis, I explained how the Bazar loader was downloaded onto a victim's device, how it communicates with its C2 server to obtain a Bazar file, and how that file is then injected into a newly-created 'cmd.exe' process.

In this second part, I will focus on the Bazar payload file that runs inside the 'cmd.exe' process. You will learn what new anti-analysis techniques this Bazar uses, how it communicates with its C2 server, what sensitive data it is able to collect from the victim's device, and how it is able to deliver other malware onto the victim's system.

This variant of the Bazar payload is a 64-bit executable file written in Microsoft Visual C++ 8.0. It was compiled on Monday, Jan 18, 2021.

In its Main() function, we can see that it is driven by a 'Timer' set by the API SetTimer() and then captured by GetMessageA(). When a condition is matched, the working function is called once. The pseudocode of how they work together is shown in Figure 1.1, below.