background image blue lines
Blog DomainTools Research

Holiday Bazar: Tracking a TrickBot-Related Ransomware Incident


On 21 December 2020, the start of the Christmas week, evidence emerged of a ransomware campaign leveraging BazarLoader (also referred to as KEGTAP) and linked to the TrickBot ransomware gang. Initially disclosed in a tweet, the campaign rapidly unfolded over the course of that day.

@_pr4gma tweet on December 21st, 2020

Based on discussions with intelligence partners and various network defenders, the adversaries responsible for this activity appeared to rapidly move from initial infection at victim locations to interactive operations en route to attempted ransomware deployment. In previous operations, TrickBot activity is associated with the deployment of Ryuk ransomware. At the time of this writing, DomainTools researchers were unable to confirm a final-stage payload for this specific campaign.

Although this specific campaign has since passed, it contains many lessons for network defenders and Cyber Threat Intelligence (CTI) professionals for monitoring and analyzing emerging campaigns to enable dynamic, flexible defense.

Initial Delivery and Download Vector

Analysis of the campaign indicates initial delivery takes place using a legitimate third-party email messaging or notification service. In this specific case, the adversary leveraged GreatResponse, used for email marketing and landing page design, to deliver seemingly benign-looking email messages with “Corporate Document” or similar themes. Observed link examples include the following:


 When accessed, a victim would see a landing page such as the following:

Fake/Phishing PDF Download page

The link would direct to a Portable Executable (PE) file, discussed in further detail below, hosted on Google Drive. Further execution would require the user to run the downloaded executable for follow-on exploitation to occur.

The above activity is consistent with observed TrickBot operations—as well as other entity tactics—using third-party services to evade detection and mitigation. For example, TrickBot gang campaigns have previously used third-party delivery services such as Sendgrid to distribute initial phishing messages. Follow-on payloads have also been hosted on cloud file storage sites, such as Google Drive, as well.

Examining Droppers and Installers

Further activity requires not only user interaction with the phishing message (displaying the landing page link) and downloading the file hosted from Google Drive, but then executing the payload as well. 

Overall, as part of the completion of this “kill chain,” DomainTools researchers observed 18 samples of the next-stage payload. Naming conventions for these files matched the landing page themes, although DomainTools researchers expect more variants likely exist beyond our visibility.

SHA256MD5File Name
69aa97d3507d4ccf7dc0bd0a97cfe509edfbdf16734fcc40cd01d8dd659fd4504c52e80e6bb5452f42600ee7bb5c4ee7View Report.exe

One sample, “View Report.exe”, is a 32bit executable that appears to date from late November 2020 and from part of an earlier, undocumented campaign. The remaining samples are 64bit executables compiled on the day of the campaign, 21 December 2020. 

The executables in this campaign are signed with the same Sectigo code signing certificate, with the name “СКАРАБЕЙ” (Russian for “Scarab”) and a fingerprint value of “348F7E395C77E29C1E17EF9D9BD24481657C7AE7.” This certificate has since been revoked by the issuer.

Sectigo code signing certificate

While signed binaries are not new to ransomware or related operations (with notable signed examples including but not exclusive to Ryuk and LockerGoga variants), they continue to pose a threat to users as many applications and security products inherently trust code-signed items.

Following successful binary execution (through user interaction), the malware attempts to resolve and connect to one of at most two Command and Control (C2) servers embedded within the binary. Successful connectivity allows for further actions on target, including the attacker taking control of implants to launch further commands or move laterally within the victim environment.

Associated Network Infrastructure

As noted in the original Tweet sparking this investigation, there were several domains immediately identified as associated with this campaign. Further investigation and analysis of samples yielded additional items, shown in the following table:

DomainRegistrarCreate DateIPHosting ProviderSSL Certificate Hash
birch-psychology[.]comNAMECHEAP INC12/10/2020192.236.155.212Hostwinds LLC.2929ea338eb1a9aeb83aa8dcf0814812505995b8
busybjjj[.]comNAMECHEAP INC12/10/2020195.123.241.79ITL-Bulgaria Ltd.5a8da3e012eee5505a04e09a1e323acbb1c14b86
flourish-psychology[.]netNAMECHEAP INC12/10/2020192.119.171.165Madgeniusb93e985da0cc7d540c4ebddf9136dbf948e7522a
flux-psychology[.]comNAMECHEAP INC12/10/2020107.152.32.121ServerCheap INC4ee5e1eaaab74ccb04010b735b75d5b3b98a29b8
freekaratee[.]comNAMECHEAP INC12/10/202094.140.114.152SIA Nano ITdbd1959d1a0575219f265ed48bfe71ca422549bd
impactpsychcoloradoo[.]comNAMECHEAP INC12/10/2020185.82.127.115SIA Nano IT2852cb1c32b90554e5fd2b6b8e494c45d1e66e83
livingyoga-denver[.]comNAMECHEAP INC12/10/2020138.201.113.2Hetzner Online AG52b825408a1cb843e84d623e6506c29e807e1bd9
ustfitf[.]comNAMECHEAP INC12/10/2020195.123.240.192ITL-Bulgaria Ltd.e5add3d65ebeba577d383657148f92fd53f337f3

The identified network infrastructure serves as the next stage of the intrusion. Following malware installation, active C2 would be used to further exploitation of the victim, leading to likely ransomware activity.

Pivoting and Identifying Additional Items

At this stage, we as defenders are largely in a “reactive” state with respect to identifying indicators and characteristics of this BazarLoader campaign. While quickly ingesting and deploying defensive measures based on indicators and observables may represent an improvement over completely passive defense, it still leaves much to be desired.

Instead, by identifying characteristics inherent to the campaign—both its network infrastructure and malware samples—we can both gain greater knowledge of the attacker’s tendencies while enabling defense attuned to these tendencies. For the latter, this means adapting defense to the adversary’s fundamental behaviors as opposed to chasing specific examples of those behaviors as represented by indicators.

Network Observables

Looking at the domains identified above, several “themes” emerge:

  • Typical use of naming “themes” reflecting local service providers or small business entities, with an emphasis on “cleaning” companies.
  • Consistent use of NameCheap for registration purposes.
  • Almost exclusive use of the “.com” Top Level Domain (TLD).
  • Creation on the same day, 10 December 2020.
  • Hosting on various relatively small, privacy-focused Virtual Private Server (VPS) providers.
  • Use of Let’s Encrypt SSL certificates for encrypted communications.

As previously documented by DomainTools, these observations can be used to unearth additional C2 infrastructure for threat hunting or preemptive defensive purposes. Unfortunately, at first glance by plotting the above items using DomainTools Iris visualizations, there seems little in common on a technical level to enable successful pivoting to additional infrastructure.

DomainTools Iris Pivot Map

Yet a combination of limited technical details that overlap (registrar, TLD use, and time of creation) along with “thematic” observables (the naming conventions used) can enable us to unearth additional items.

With this hypothesis in mind, looking for items with a similar technical structure that also mirror the “local service” or “local business” theme, we can identify the following through DomainTools Iris:

DomainCreate DateIPISPSSL Certificate Hash
app-space-cleaner[.]com12/15/202046.4.76.174Hetzner Online AGd456b68598481ca23f7736828731c3730d641192
babynameinspirations[.]com12/14/2020135.181.154.50Hetzner Online AGN/A
bbdworld[.]net12/18/2020195.201.9.204Hetzner Online AGN/A
blueridgecabin-cleaning[.]com11/13/202094.140.115.253SIA Nano IT5392b3c24963f7de3c3f7e0711d4f6eba4f0f31a
carwashevanstoon[.]com12/15/202094.140.114.54SIA Nano ITa856e01b468b46f4316ef026bf74351ce27647c5
cguschool[.]com12/9/2020116.203.253.24Hetzner Online AGN/A
cleaningcompany-online[.]com12/1/2020192.227.231.237Virtual Machine Solutions LLC1eab0efacfeb82bde18db1200ff03bb0526ac60d
coloradobudokann[.]com12/10/2020195.123.233.78ITL-Bulgaria Ltd.N/A
crowleycollegeprepp[.]com12/10/2020107.152.42.146ServerCheap INCN/A
data1-posten[.]com12/7/2020168.119.171.234Hetzner Online AG30f46401c6abd0c9a629c64259592b5c6ca974a6
familyzstore[.]com12/11/2020198.54.117.244Namecheap Inc.N/A
first-posten[.]com12/7/2020168.119.171.234Hetzner Online AGN/A
form-feedback[.]com12/7/2020178.63.220.179Hetzner Online AG23f3a3a27edcb956c33aa57c71abced34e6c454c
greatsfamily[.]com12/9/2020198.54.117.244Namecheap Inc.N/A
injektorrx[.]com11/13/202094.140.114.187SIA Nano IT0aec5a4f8860b44d77fb47f053e391c83aa36cfb
inmanheatingandcoollng[.]com12/15/202094.140.114.135SIA Nano IT66688b898713f2d840985325d093e46e5fbbc0e6
intlupdate[.]com12/8/20205.34.178.204ITL LLC35d8a65cba2c02c4dcc7bb7e00680ae5c4aa4823
johnnykashjewelsapp[.]com12/15/2020195.123.237.139ITL-Bulgaria Ltd.N/A
jordanbelforthiring[.]com12/16/2020192.64.119.2Namecheap Inc.N/A
kizienservices[.]com12/9/2020195.201.179.80HostMaster CorpN/A
lovelyhomemart[.]com12/7/2020176.9.29.52Hetzner Online AG9b48c3e61c1aa79155b725f5fd4f47bc755d0d2d
manageupdaternetwork[.]com12/17/202094.140.114.160SIA Nano ITN/A
my-space-cleaner[.]com12/10/202046.4.76.174Hetzner Online AGb613424256682a4a4d4465a8b84741e4055f211b
newappday[.]net12/9/202095.217.229.116Hetzner Online GmbHN/A
niftythriftsteals[.]com12/13/202049.12.15.63Hetzner Online AG630a232a25964fbdb8031ecfd5860c7578210222
nord-city[.]com12/11/202046.4.70.54Hetzner Online AG179e434d8e2b4c6190037f55bf94c1c766e58777
open-register[.]com12/16/2020198.54.117.197Namecheap Inc.N/A
posten-order[.]com12/7/2020168.119.171.234Hetzner Online AGa6c19e7d55629da02919432bd5e92bd8395715e7
pulsehomeowner[.]com12/14/2020159.69.186.9Hetzner Online AGN/A
qureshisgym[.]com12/20/202095.216.159.168Hetzner Online GmbHN/A
real-posten[.]com12/9/2020135.181.94.39Hetzner Online AGN/A
rentinginnovations[.]com12/13/2020159.69.186.9Hetzner Online AGN/A
rmflaging[.]com12/10/202094.140.115.145SIA Nano ITN/A
service-masterss[.]com11/13/2020141.136.0.3SIA Nano ITN/A
speed-posten[.]com12/11/2020135.181.94.39Hetzner Online AGN/A
stonyhand-carwash[.]com12/15/2020138.201.112.173Hetzner Online AGN/A
tracking-posten[.]com12/7/2020168.119.171.234Hetzner Online AGb62aed1d366c54148617c3c30f6883b0a92c4aa6
trak-no-posten[.]com12/10/2020135.181.94.39Hetzner Online AGN/A
trakaing-pass-posten[.]com12/9/2020168.119.171.234Hetzner Online AG1fac7b2ae6b7ea5b7c032c9cd1f06db9844a6a72
washguystxx[.]com12/4/2020141.136.0.25SIA Nano ITN/A
worldnewsfeed[.]net12/15/202088.99.102.85Hetzner Online AGf852a683482e9fbab0044e0257eee159e0bdf044

This list is extensive and includes items that are likely not related to this campaign, but other items seem to fit the pattern observed quite well. Examples include:


These items form the basis for further threat hunting and CTI analysis. Given that all of the identified items are marked as likely malicious based on DomainTools risk scoring algorithms, the options available to defenders range from adding the domains and related infrastructure to blocklists as a preventative measure to monitoring them for further activity. For example, items such as those called out above could be flagged in various services, such as DomainTools domain monitoring, to identify when changes or file associations occur.

File Patterns

In addition to domain patterns, the malware samples associated with this campaign also feature several commonalities that can be used for either hunting or alerting purposes, depending on the tools and visibility available to the researcher. From the information available thus far, we have the following insights:

  • Exclusive use of 64bit binaries downloaded from cloud storage providers.
  • Use of the same Sectigo signing certificate across all known samples.
  • Common file naming conventions based on variations of “company report” and similar themes.
  • Commonality in C2 infrastructure.

From the above, DomainTools researchers began investigating multiple data sources for similar file characteristics as well as items contacting domains revealed in the network pivoting exercise documented in the previous section. From this and follow-on analysis from initial findings, DomainTools researchers unearthed another BazarLoader campaign from 17-18 December 2020. The following samples and C2 domains were observed:

SHA256MD5File NameC2
c9a66cff4c5b5d74545c1eabc9da4ecf618f9c72174150569daa58e843cee5e5c28b472f5162a4a58d29aed1f1b2fe06BonusReport.exejohnnyclean-carwash[.]com, akbuilding-services[.]com
9b29924a22ef01cb9c3b8c98d5cc4508836427335d3949c93e7a4c50c2bd40d59014ee7a206b40f1cf81de0918ff8c9fAnnualReport.execleaningcompany-online[.]com, akbuilding-services[.]com
bcccb14658e8c1bee8107a2c314957c2bd9e505e73012b0aaa18df9fedf99248dd0c5c4d2cdf6f57be6c7f4d7e64f5fdAnnualReport.exejohnnyclean-carwash[.]com, maidtoorderfll[.]com
56c5bee33c17a453c900725f88efb0466fd928072c420955fa599b518b9dfcd2ee85e8c0956d2021732d9606120401f9AnnualReport.execleaningcompany-online[.]com, akbuilding-services[.]com
ac696ef5a12039b72e408b6b14e08823c407ee652a6a36b7c33d01cd8d37349767c2474a2fb201491c0ff5ff7ab783eaAnnualReport.exejohnnyclean-carwash[.]com, akbuilding-servicex[.]com

Multiple samples were identified with C2 infrastructure linked to the domain pivoting in the previous section. While this did not appear to succeed in identifying “new” items (as the files in question appear to have been active from 17-18 December 2020, before the originating campaign sparking this investigation), their discovery indicates other items in the list of possible domains may relate to future campaigns by the same actor. Additionally, some items were revealed which featured C2 domains not related to the pivoting documented earlier. Examples include:


Although exhibiting C2 domains beyond initial research, the items were linked by a common code signing certificate (again from Sectigo, and since revoked by the issuer) with the name “ИНТЕЛЛИТ” (Belorussian for “Intelligence”) and thumbprint “1103DEBCB1E48F7DDA9CEC4211C0A7A9C1764252”:

Sectigo code signing certificate

Although a different certificate than that used in the 21 December campaign, it reflects similar themes and observations. One item in common with both signing certificates is the prefix “OOO”, which in Russian (and related) languages is equivalent to “Ltd.” While there are many legitimate entities that can and do sign their software with certificates including “OOO” in their name, this may function as a robust indicator for organizations with few or no commercial ties to Russian or related language entities for blocking or filtering files with code signing certificates containing such language. This code signing observation represents a start in overall defensive planning against malware campaigns such as that observed in this report.

Defensive Recommendations and Mitigations

We have already discussed several examples of possible alerting items for this campaign, ranging from signing certificate observables to infrastructure commonalities. However, network defenders must be attuned and responsive to a variety of adversary “tells” in campaigns to ensure robust and complete defense from intruder operations.

First, the simple identification of new or anomalous network traffic—whether as email links, user interactions, or programmatic communication—can do wonders for network security posture. For example, all of the domains identified in the analysis so far have scored as likely malicious through the DomainTools risk-scoring algorithm. By programmatically tying network security monitoring or log capture (such as proxy logs) to a threat intelligence source such as DomainTools, defenders can rapidly identify communication to new, likely risky sources and use this as a mechanism to launch further investigations. Done in a timely fashion, this can work to disrupt ransomware actor operations and interrupt events before they proceed toward ransomware deployment.

Second, organizations must be attuned to the malicious use of code signing for the delivery of malware. In this specific campaign, the Sectigo signing authority was abused to sign malware for delivery and execution. From a defender’s perspective, we cannot completely distrust Sectigo (as it is used by many organizations), but we can identify ways to narrow our degrees of trust to reduce attack surface. Within the context of the currently discussed campaigns, identifying the “OOO” string, corresponding to “Ltd” in Russian and related languages, may be sufficient to distinguish between trusted and unknown software depending on one’s business operations. Identifying such “tells” and their implications can allow defenders to take even trusted items, such as code signing certificates, and narrow what is truly allowed or acceptable within their environments versus what is anomalous or suspicious.

Finally, the entire infection chain outlined above relies on a user interacting with a phishing message then executing an unknown binary from a cloud storage location. These items represent critical touch points for defensive response and monitoring—and user education. Through email security monitoring, organizations can identify, categorize, and filter providers for things such as landing pages and response emails to reduce attack surface. Furthermore, organizations can limit or completely block the download of files (or at least executable files) from external cloud storage locations to further reduce risk. Lastly, execution by the user of an unknown (even if signed) binary can be limited through either training or operating system controls to eliminate the ultimate stage of this attack sequence.

Attack Sequence Diagram

Overall, visibility into network communications, the ability to refine those communications with the support of external CTI sources, and combining this with host-based or malware-centric observations will enable defenders to identify, track, and hopefully mitigate potential ransomware events such as that described above. This whole-of-killchain approach, similarly documented with respect to BazarLoader by Red Canary in 2019, ensures detection at various stages of adversary operations. Through concerted effort and continued refinement, defenders will be able to identify “normal” activity within their environment and set that against abnormal traffic that may be related to malicious operations. As a result, defended organizations can gain some lead time over intruders, setting up proactive or preemptive defenses to limit exposure to campaigns as they materialize.


In this analysis, we identified an initial campaign and used related items to reveal a slightly earlier ransomware campaign likely related to the same adversary. By applying this process in a continuous, iterative fashion, we as network defenders and CTI professionals can continually reduce the scope and degree of movement for adversaries and improve the prospects of network defense. Marrying network security monitoring with network indicator enrichment through sources such as DomainTools can reveal campaigns in progress, while subsequent relations to file-based observations can cement these views to enable holistic network defense. Ultimately, network defenders must leverage all sources available to them in order to adequately respond to and detect such threats, with the goal of minimizing adversary dwell time and maximizing defender opportunities for response and recovery.