The malware identified first as Anchor. The anchor is a sophisticated backdoor that served as a module to a subset of TrickBot installations. Operating since August 2018 it is not delivered to everybody, but the contrary is delivered only to high-profile targets. Since its C2 communication scheme is very similar to the one implemented in the early TrickBot, multiple experts believe it could be attributed to the same authors. Due to similarities in code and usage of the two different malware families in the same intrusions. In 2020 the Bazar malware family entered and again many associated it with the same group behind Trickbot. Below are the latest indicators of compromise.
Credits : Research by ExecuteMalware
Indicators of Compromise
THREAT IDENTIFICATION: BAZARCALL
marcoaurelio3351@ibest [.]com [.]br
tobolaja@gabrieljuliano [.]com [.]br
Do you want to extend your free trial KRB44272035?
Thank you for using your free trial BCS87227489 [.] Time to move on!
Want to extend your free trial BCS19037460?
Want to extend your free trial BCS26389287?
Your free trial BCS72129127 is about to end!
Your free trial KRB51243021 is about to end!
LURE PHONE NUMBER
1 (323) 672 3498
MALDOC DOWNLOAD URLS
https://bluecartservice [.]com/unsubscribe [.]html
https://icartservice [.]org/unsubscribe [.]html
https://imedservice [.]org/unsubscribe [.]html
https://imerservice [.]net/unsubscribe [.]html
https://merservice [.]org/unsubscribe [.]html
https://bluecartservice [.]com/request [.]php
https://icartservice [.]org/request [.]php
https://imedservice [.]org/request [.]php
https://imerservice [.]net/request [.]php
https://merservice [.]org/request [.]php
MALDOC FILE HASHES
PAYLOAD DOWNLOAD URL
First a post to:
http://aras [.]iuc [.]ac/wp-content/plugins/wordpress-seo/css/dist/gerte523d [.]exe
PAYLOAD FILE HASH
https://52 [.]90 [.]97 [.]160
I also found these files in \Users\public:
All 3 have MZ headers
[.]j56 and [.]xlsb have the same file hash
https://urlhaus [.]abuse [.]ch/browse [.]php?search=98aca6c94ef680b24885d1462ccc36af