TrickBot Adds BazarBackdoor to Malware Arsenal

trickbot backdoor

The stealthy backdoor is delivered via mass-market phishing emails that are well-crafted to appear convincing.

A new module for the infamous trojan known as TrickBot has been deployed: A stealthy backdoor that researchers call “BazarBackdoor.”

The binary was first spotted being delivered as part of a phishing campaign that began in March, according to an analysis from Panda Security this week. The campaign used the legitimate marketing platform Sendgrid to reach targets in a mass-mailing fashion; however, the emails were well-crafted, with the operators making an effort to make the phishing links inside the emails look legitimate. The link addresses also corresponded to the emails’ lures, researchers said.

“A range of subjects are used to personalize the emails: Customer complaints, coronavirus-themed payroll reports, or employee termination lists,” they explained in the analysis. “All these emails contain links to documents [supposedly] hosted on Google Docs.”

The links within the documents actually led to websites that present the victims with an error message, saying that the Word, Excel or PDF document that they’re attempting to access cannot be viewed correctly. They were then prompted to download the collateral to be able to read it.

“When the victim clicks on the link, an executable will be downloaded that uses an icon and a name associated with the kind of document that appears on the website,” according to Panda Security. “For example, ‘COVID-19 ACH Payroll Report’ will download a document called PreviewReport.DOC.exe. Since Windows does not show file extensions by default, most users will simply see PreviewReport.DOC and will open the file, believing it to be a legitimate document.”

The executable turns out to be a loader for BazarBackdoor; once it installs, it stays hidden in the background while it connects to a command-and-control (C2) server, and then downloads BazarBackdoor itself.

The backdoor is capable of providing full access to an attacker – which can be used as a point of entry for any number of attacks.

“In any advanced attack, be it ransomware, industrial espionage, or corporate data exfiltration, having this kind of access is essential,” according to the firm. “If a cybercriminal manages to install BazarBackdoor on a company’s IT system, it could pose a serious danger, and, given the volume of emails being sent out with this backdoor, this is a widespread threat.”

Panda Security describes BazarBackdoor as “enterprise-grade malware,” and they linked it back to TrickBot because both pieces of malware share parts of the same code, along with delivery and operation methods.

TrickBot is a malware strain that has been around since 2016, starting life as a banking trojan. Over time, it has gradually extended its functions to include collecting credentials from a victim’s emails, browsers and installed network apps. The malware has also evolved to add more modules and act as a delivery vehicle for other malware. And indeed, this is not TrickBot’s only backdoor dabbling. In January, researchers found the malware’s operators to be using “PowerTrick,” a backdoor that helped the malware conduct reconnaissance of targeted financial institutions. It was also used to fetch yet other backdoors, in an effort to help TrickBot evade detection.

Also, in April 2019, Cybereason detected an attack campaign that continued an ongoing phenomenon of Emotet loading TrickBot as a means to deploy Ryuk ransomware. In that attack however, TrickBot used its Empire backdoor as part of the kill chain.

BazarBackdoor is also not TrickBot’s only recent move in general. The operators were seen to have changed up their anti-analysis methods in March; in the same timeframe they also added a module to mount widespread brute-force attacks on RDP connections.

“The aim of these attacks was to take advantage of the sudden increase in remote workers and take over their corporate computers,” researchers at Panda Security said. “Exploiting the current COVID-19 pandemic in this way is just one of the many techniques that cybercriminals have for gaining access to companies’ IT systems.”

Concerned about the IoT security challenges businesses face as more connected devices run our enterprises, drive our manufacturing lines, track and deliver healthcare to patients, and more? On June 3 at 2 p.m. ET, join renowned security technologist Bruce Schneier, Armis CISO Curtis Simpson and Threatpost for a FREE webinar, Taming the Unmanaged and IoT Device Tsunami. Get exclusive insights on how to manage this new and growing attack surface. Please register here for this sponsored webinar.


Suggested articles