By Xiaopeng Zhang | February 12, 2021
FortiGuard Labs Threat Research Report
Affected platforms: Microsoft Windows
Impacted parties: Windows Users
Impact: Control and Collect sensitive information from victim’s device, as well as delivering other malware.
Severity level: Critical
FortiGuard Labs recently detected a suspicious email through the SPAM monitoring system that was designed to trick a victim into opening a web page to download an executable file. Additional research on this executable file found that it is a new variant of the Bazar malware.
My analysis of this variant is being published in two parts. In the first part of the analysis, I explained how the Bazar loader was downloaded onto a victim’s device, how it communicates with its C2 server to obtain a Bazar file, and how that file is then injected into a newly-created “cmd.exe” process.
In this second part, I will focus on the Bazar payload file that runs inside the “cmd.exe” process. You will learn what new anti-analysis techniques this Bazar uses, how it communicates with its C2 server, what sensitive data it is able to collect from the victim’s device, and how it is able to deliver other malware onto the victim’s system.