DocuSign Themed Malspam Leads to BazarBackdoor and Cobalt Strike
released on 2021-02-01 @ 09:44:25 PM
In the fall of 2020, Bazar came to prominence when several campaigns delivered Ryuk ransomware. While Bazar appeared to drop-off in December, new campaigns have sprung up recently, using similar TTP’s.
In this case, DFIR Report will describe how the threat actor went from a DocuSign themed, malicious document, to domain wide compromise, using Bazar aka KEGTAP and Cobalt Strike.