Bazar backdoor linked to Trickbot banking Trojan campaigns

July 16, 2020

A new malware family has been linked to the threat actors behind Trickbot, a prolific information-stealing Trojan.

On Thursday, the Cybereason Nocturnus research team said that since April this year, the backdoor has been used in attacks against targets across the US and Europe. In particular, organizations in the professional, healthcare, IT, manufacturing, logistics, and travel industries are in the spotlight.

In a blog post, the cybersecurity researchers document how the first variants of the malware appeared in the wild during April, but then there was a hiatus of almost two months with a new sample emerging during June — together with improved code and fixes.

Trickbot is a banking and information-stealing Trojan that has traditionally been used against financial services. The malware has evolved over the years to become a data stealer and botnet facilitator with a modular infrastructure that makes it easier for operators to tweak code and improve its offensive capabilities over time.

In January, Trickbot operators debuted PowerTrick, a backdoor reserved for high-value targets. Now, the introduction of the Bazar malware — combining loader and backdoor — is another tool weaponized in Trickbot campaigns.

Phishing campaigns relating to the COVID-19 pandemic, customer complaints, and employee payroll are being used to spread the malware. While most Trickbot campaigns use malicious attachments, Bazar is spread via phishing emails sent through the Sendgrid email marketing platform which link to decoy landing pages for document previews hosted in Google Docs.

In order to lure victims into downloading malicious documents, the page claims that previews are not available.

Once the documents have been downloaded and executed, the loader element carves out a foothold into an infected system. Similar code is in play between the Bazar and standard Trickbot loaders, including the same WinAPIs, custom RC4 implementation, and heavy obfuscation. The loader will attempt to inject itself into either svchost, explorer, or cmd to make sure it autoruns “at any cost,” according to Cybereason, and a task is also scheduled to load the malware at startup.

The encrypted Bazar backdoor is loaded directly into memory to avoid detection. Bazar, of which three versions in various stages of development have been detected, collects and steals system data, forges a link with the command-and-control (C2), and is able to perform a variety of functions.

As noted by Fox IT researchers, these include generating a unique ID for each infected machine, downloading files and using either hollowing process injection or Doppelgänging process injection, executing DLLs, terminating processes, and self-destruction.

CNET: Google targets stalkerware in updated ad policy

Cybereason says the combination of loader and backdoor can be used to download and deploy additional malware payloads, such as ransomware, as well as exfiltrate information for transfer to the attacker’s C2.

The domains being used to facilitate the Bazar loader and backdoor are blockchain-based, including EmerDNS. As these domains are decentralized, they may be more resistant to takedown requests, a concept Cybereason says has made blockchain DNS domains “a recent trend” among threat actors.

TechRepublic: Software-defined perimeters may be the solution to remote work security concerns

This is the same tactic used in Trickbot Anchor campaigns, as documented in December 2019. Trickbot and Anchor also share the same top-level Bazar domain C2.

“Our research shows that the threat actor took time to re-examine and improve their code, making the malware stealthier,” the team says. “Although this malware is still in development stages, Cybereason estimates that its latest improvements and resurfacing can indicate the rise of a new formidable threat once fully ready for production.”