Bazar is a trojan – a malicious Windows infection. Bazar injects a backdoor into processes like cmd, explorer, and svchost. It steals files and downloads malware (file-encrypting ransomware, spyware, etc.).
Bazar is also known as Team9 malware. It’s created by the same developers as Trickbot, another infamous trojan. Sometimes, Bazar is referred to by the names BazarLoader and BazaLoader.
Bazar Trojan quicklinks
- How does Bazar trojan work?
- Bazar spreads with phishing emails
- Bazar can download other malware
- How to avoid Bazar and how to remove it
- How to protect yourself from trojans
- Display file type extensions.
- Do not enable macros
- Use good antivirus programs
- How to delete Bazar and other malware
- Find and delete malicious files
- Automatic Malware removal tools
About Bazar trojan:
|Classification||Loader (installs other malware),
backdoor (method to get inside the infected computer undetected),
|Bazar trojan’s main features||It can download and run malicious programs,
it can steal files.
|How to avoid trojan infections||Show file extensions and don’t open suspicious files,
never enable macros in documents.
|How to remove Bazar||Use antivirus programs (Spyhunter, Malwarebytes, others),
reset your passwords.
How does Bazar trojan work?
Bazar spreads with phishing emails
We wrote recently about how the Bazar trojan is distributed in a malicious Excel document – a file disguised as a subscription cancellation form (free trial expiration scam, also known as BazarCall). The BazarCall scam can be pretty convincing, but what happens if the trojan gets on your computer? And how would you recognize it if it had already infected your machine?
In general, Bazar spreads in phishing emails. According to the analysts on Cybereason (A Bazar of Tricks: Following Team9’s Development Cycles), Bazar is downloaded from infected executable files that are disguised as documents and shared in phishing emails.
It gets sent to the employees of various companies and organizations. But it’s possible for anyone to receive malicious spam, including that infected with Bazar, so everyone should be careful.
Bazar can download other malware
Here are a few of Bazar trojan’s features:
- It’s a loader. It can download additional malware and instructions.
- Bazar is persistent. It doesn’t disappear after a reboot.
- It is evasive. It is difficult for antivirus scanners to detect. It also has fileless features, which also make it harder to find.
Once Bazar is downloaded, it installs a backdoor by injecting it into a legitimate Windows process. This backdoor talks over the internet to its command and control server, from which it receives instructions. Here’s what the Bazar backdoor can do:
- Download files and run them.
- Run scripts (command line instructions).
- Terminate processes that are running on your computer.
- Upload files from your computer to its command and control server.
Bazar can download file-encrypting ransomware, spyware, and other malicious software. It can steal files, or steal login credentials and use them to hack other computers and accounts.
How to avoid Bazar and how to remove it
How to protect yourself from trojans
Knowing that Bazar spreads in phishing emails, you can do a few things to avoid getting your device infected:
Display file type extensions.
Windows hides file extensions by default, probably to stop people from accidentally changing them (and being unable to open their files). But it is important to see extensions in order to catch malware. Change your settings to see file extensions.
Do not enable macros
The BazarCall scam used malicious macros in Microsoft Office documents to download the trojan. Office programs disable macros by default precisely because of this reason. Do not enable macros – do not click the “Enable Content” button on a document, especially if the document instructs you to.
In fact, you can change your Office settings to hide macro notifications (Enable or disable macros in Office files).
Use good antivirus programs
To catch infected documents, malicious executables, and other threats, it helps to use a powerful antivirus program. Do not trust your antivirus software to be perfect, though. Bazar and other trojans can be difficult to catch.
How to delete Bazar and other malware
Find and delete malicious files
Depending on what other malware Bazar might have downloaded, the cleanup process might be different. You can start by scanning your device with an anti-malware program that you trust, such as Spyhunter or Malwarebytes.
Based on the files (indicators of compromise) listed in the Fox-IT post In-depth analysis of the new Team9 malware family, antivirus scanners flag Bazar as Malware, Trojan.Agent, Trojan.Downloader, Trojan.Generic, Suspicious, etc.
Additionally, you might want to reset your passwords. Bazar might have exfiltrated data including your login credentials, so once it’s deleted, you should make sure that nobody can use your passwords.
Automatic Malware removal tools