Alex Morgan — Threat Intelligence Analyst
Key Takeaways
- The BazarCall campaign demonstrates the increasing sophistication of social engineering tactics in initial access.
- Malware communication is often obscured through various encryption techniques and relies on legitimate services for command and control.
- Understanding lateral movement strategies employed by the threat actor can significantly bolster incident response efforts.
Executive Summary
Our investigation into the recent BazarCall campaign revealed a well-orchestrated attack leveraging advanced social engineering techniques combined with known malware frameworks. The actor’s initial access vector primarily relied on phishing emails that masqueraded as legitimate communications, enticing users to interact with malicious content. This post delves deeply into the methods we observed during our analysis, focusing on the attack chain from initial access to the potential impacts on compromised environments.
Initial Access
The initial access in the BazarCall campaign stemmed from a series of sophisticated phishing attempts. During the investigation, we unearthed emails containing hyperlinks to fake landing pages that expertly mirrored legitimate branding. Upon clicking the link, users were prompted to provide their credentials, inadvertently giving the actor foothold into their networks. The URLs used in this campaign often included subdomains of trusted services, increasing the likelihood of user interaction. For instance, samples pointed to domains like myservice.example.com, effectively bypassing initial red flags that users might raise when encountering dubious domains.
Execution & Persistence
Following the successful credential capture, our analysis revealed the deployment of BazarLoader, which served as the dropper for later payloads. This malware exhibited persistence via techniques involving scheduled tasks and Windows services. Specifically, BazarLoader created a task under the name BazarService, which routinely contacted a remote server for instructions. We noted entries in the registry at HKCU\Software\Microsoft\Windows\CurrentVersion\Run potentially linked to this persistence mechanism, ensuring that the implant executed even after user logoff.
Command and Control
As the implant gained a foothold, our examination of network logs revealed communication with command and control (C2) servers using TLS encryption, aiming to obscure the traffic from network monitoring tools. These C2 servers, registered under seemingly benign domains, utilized a combination of dynamic DNS and obfuscation techniques to maintain resilience against takedowns. The C2 communication generally involved an initial beacon to check in, which would subsequently command the implant to execute additional payloads, as verified by the traffic patterns we observed in conjunction with the unique User-Agent strings employed.
Lateral Movement & Discovery
Lateral movement was evident as the actor utilized the same set of credentials to traverse the network. Techniques such as T1210 – Exploitation of Remote Services facilitated access to remote hosts, whilst tools like PowerShell were employed for enumeration and credential dumping. During our analysis, we identified unusual PowerShell commands executing from various endpoints indicating the querying of Active Directory, with scripts that attempted to list users, groups, and permissions. This reconnaissance effort appeared designed to identify high-value targets for subsequent attacks.
Impact & Objectives
The primary objective of the BazarCall campaign appears to revolve around data exfiltration and potential ransomware deployment. Indicators of compromise (IoCs) revealed exfiltration attempts targeting sensitive directories often associated with financial data and internal communications. Additionally, we uncovered references to known ransomware payloads slated for deployment once the actor had sufficiently mapped the network. The resilience of the infrastructure and the intricacy of the attack suggest an organization with significant resources and intentions to penetrate deeply into the victim networks.
MITRE ATT&CK Mapping
- T1071.001 – Application Layer Protocol: Web Protocols: Utilized for C2 communication.
- T1203 – Exploitation for Client Execution: Exploited weaknesses in user behavior through phishing.
- T1105 – Ingress Tool Transfer: Transfer of tools for further exploitation.
Detection Opportunities
- Monitor for unusual outbound TLS traffic to known dynamic DNS providers.
- Implement alerts for scheduled tasks creation that are not tied to known applications.
- Utilize endpoint detection tools to scan for anomalous PowerShell execution patterns during escalations.
Analyst Notes
The BazarCall campaign highlights the need for robust security awareness training among employees, as social engineering tactics become increasingly sophisticated. Special attention should be paid to incident response protocols to identify, contain, and remediate threats that exploit legitimate credentials. Moreover, regularly updating endpoint security measures and maintaining visibility into network traffic patterns will bolster defenses against similar attacks in the future.
Source: Original Report