In the wake of a series of attacks on US healthcare targets, NHS Digital has warned UK health service organisations to be on the alert after clocking a significant rise in usage of various loaders, including Bazar and Buer, almost certainly a result of the Microsoft-led takedown of the Trickbot trojan-turned-botnet in October 2020.
Bazar, a modular toolset designed by Trickbot’s operators, Wizard Spider, incorporates much of the same functionality as Trickbot, while Buer, first observed in 2019, is sold as a cheaper alternative malware-as-a-service dropper.
NHS Digital said it assessed that Bazar in particular is now Wizard Spider’s primary post-access tool, and multiple security research teams have corroborated this.
Cofense Intelligence researchers said the increased use of Bazar to deliver Ryuk did indeed track closely with the disruption of Trickbot operations.
“In recent weeks, we assess with high confidence that BazarBackdoor has been Ryuk’s most predominant loader,” said the firm. “With lower confidence, we assess this wave of Ryuk activity may be, in part, in retaliation for September’s TrickBot disruptions.”
Bazar’s components are most usually delivered in spear phishing campaigns operated via Sendgrid, a bona fide email marketing service. The emails contain links to Microsoft Office or Google Docs files, and the lure usually relates to a threat of employee termination or a debit payment.
In turn, these emails link to the initial payload, a headless preliminary loader that ultimately downloads, unpacks and loads Bazar. The firm added that newer campaigns seem to forgo the spam distribution in favour of human-operated attacks against exposed admin interfaces or cloud services.
Typically, once they have gained control of the target system using Bazar, Wizard Spider will download a post-exploitation toolkit, such as Cobalt Strike or Metasploit, to gather target information and enumerate the network, at which point they will harvest credentials to move into other systems and compromise the entire network – then they will deploy Ryuk ransomware. NHS Digital said current Bazar campaigns could accomplish this in under five hours.
Buer, meanwhile, is also spread through spear phishing, and can also ultimately result in a Ryuk ransomware attack.
“This year, devastating ransomware attacks have unfortunately been a gold rush for cyber criminals, and it’s unlike anything the cyber security industry has ever experienced,” said Peter Mackenzie, incident response manager at Sophos. “Nearly 85% of the attacks that [recently launched] Sophos Rapid Response has been involved in so far included ransomware – notably Ryuk, REvil/Sodinokibi and Maze – and I can say with confidence that most of the other attacks that we were called in to stop would have also resulted in ransomware, had we not acted so quickly.
“Readily accessible tools make it possible for attackers to net bigger pay-outs in one week’s worth of work than most people will make in their lifetime. Criminals infiltrate networks and stealthily plan their attacks in the background before strategically launching ransomware as the final payload – often during the overnight hours when no one is watching in order to execute on as many machines as possible.”
Mackenzie added: “Sophos Rapid Response takes immediate action to extinguish the fire, which in the case of a hospital that we helped this month after it was hit by Ryuk ransomware and was forced to shut down, meant the difference of life or death.”
NHS Digital has produced specific remediation advice to enable NHS organisations to prevent and detect Bazar and Buer infections, as well as indicators of compromise.