We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Trojan:Win64/Bazarcrypt
Aliases: No associated aliases
Summary
Microsoft Defender Antivirus detects and removes this threat.
Bazaloader, also known as Bazarloader, is a malware that is increasingly used in sophisticated threat campaigns. Attacks involving BazaLoader rely on social engineering and adopt distinctive attack chains designed to evade security solutions. Attackers send phishing emails that contain links to Google documents, which then lead to other documents embedded with links that download Bazaloader malware on the target device.
Bazaloader provides initial foothold and paves the way for hands-on-keyboard activity. It enables the delivery of second-stage toolkits, commonly Cobalt Strike, which in turn enable reconnaissance and lateral movement within the compromised network.
BazaLoader is a serious threat that is relatively proficient in evading certain detection mechanisms. It highlights the continued presence of human-operated ransomware and how these threats rely on common security weaknesses.
Read the following blogs for details:
Microsoft Defender Antivirus automatically removes threats as they are detected. If you have cloud-delivered protection, your device gets the latest defenses against new and unknown threats. If you don't have this feature enabled, update your antimalware definitions and run a full scan to remove this threat.
To help reduce the impact of this threat, you can:
- Immediately isolate the affected device. If BazaLoader has been launched, it is likely that the device is under complete attacker control.
- Contact the device owner to confirm whether they have accessed a possible phishing site and have inadvertently disclosed credentials.
- Investigate how the affected device might have been compromised. Check web traffic to determine how this malware arrived. Check the user mailbox for unsolicited emails containing unexpected attachments.
- Identify the accounts that have been used on the affected device and consider these accounts compromised. Reset passwords or decommission the accounts.
- If credentials have been disclosed, check for any unusual activities and unexpected logons using the compromised account. Check for unusual mailbox access and attempts to collect data from the mailbox.
- Investigate the device timeline for indications of lateral movement activities using one of the compromised accounts. Check for additional tools, such as Cobalt Strike, that attackers might have dropped to enable credential access, lateral movement, and other attack activities.
- Prevent subsequent attacks by adjusting spam and phishing filtering policies based on the characteristics of the campaign email.
You can also visit our advanced troubleshooting page or search the Microsoft community for more help.
