[Mal Series #21] BazarLoader

Here is the bazarloader DLL sample extracted from a MFC parent file.

The bazarloader DLL is heavily obfuscated (seems like llvm obfuscator) and the deobfuscation algorithm has been complicated in a intended way to make analysis ‘harder’.

e.g. Inside ZwRaiseHardError , you can see those additional mathematical operation is meaningless actually 🤔

hash = hash & (hash ^ 0xff000000)

The algorithm for the API hash calculation has been made complicated 🤔

Formula of API hash calculation

and many more 😐

To make life easier, provided IDA script to decrypt to Windows API function 😃 and c2 IP -> here.

Decrypted Windows API function text -> here

Interesting way to force self spawn its process

Hook ZwRaiseHardError of the newly created process (suspended mode, 0x4) -> WriteProcessMemory ->and replace the first 3 bytes into 0xc3c033

👇

Inside create_new_proc

After that, the parent process will quit and the child process will continue the process at another branch as it fulfills the hash == 0xc3c033 condition.

Checking existence of antivirus product

Dr_Web -> HKCU\SOFTWARE\Dr_WEB
Avast -> aswhook.dll / HKCU\SOFTWARE\AVAST Software

Anti-Sandbox

Long Sleep period (the number is random each time)

Decrpyt C2 IP

After decryption, send victim’s information via HttpSendRequest to one of the c2 IP and receive reply from the corresponding c2 IP. It will loop to the next one if the current one fails.

Decrypt bazar domain

Decryption of bazar domain

After decryption, try to connect to the bazar domain and receive something from those domain.

Decrypted function found:

inet_ntop
send
socket
select
recvfrom

So far I’m analysis just until the c2 connection, I didn’t spend much time to look for what happen next (e.g. after successful c2 connection)

Data sent

Date: <dayname>, dd mm yyyy hh:mm::ss <zone>
Cookie: <random>=<base64 form of bcrypt signed data which hashed by SHA384(<dayname>, dd mm yyyy hh:mm::ss <zone>)>

Flow on how those data generated:

BCryptOpenAlogorithmProvider
RSA3 key blob decryption routine
BCryptImportKeyPair
BCryptGetProperty (KeyLength ObjectLength HashDigestLength)
BCryptCreateHash
BCryptHashData
BCryptFinishHash -> Get SHA384 Hash Blob
BCryptSignHash -> Get encrypted blob for base64 later 
CryptBinaryToStringA -> base64 blob into base64 format

IoCs:

164[.]90.166.155
161[.]35.205.250
164[.]90.174.188
161[.]35.195.78

<IP>/plant/reed

blackrain15[.]bazar
reddew28c[.]bazar
bluehail[.]bazar
whitestorm9p[.]bazar

DLL SHA256

70C9E46ECA2778E28639A41FBB7D3CBFFCD758724C0885DE4430AF5D1BA40636

References:

C++ (Cpp) BCryptFinishHash Examples

Windows-classic-samples/HmacComputation.cpp at main · microsoft/Windows-classic-samples