TrickBot trojan has survived the massive takedown operation! While the trojan is set to reboot its operations with a new bunch of backend infrastructure, the operators are making headway with another creation dubbed BazarLoader/BazarBackdoor.
BazarLoader is the newest preferred stealthy covert malware added to the TrickBot group toolkit arsenal. It came to the limelight in July when researchers were investigating a particular attack campaign against targets across the U.S. and Europe. BazarLoader consists of two components: a loader and a backdoor. The malware uses legitimate file-sharing services, as well as phishing emails, as part of the infection chain. The group behind the malware takes advantage of certificate signing to evade antivirus and software products.
A preview of recent attack trends
Threat actors disguised BazarLoader executables as genuine Basecamp links as a part of their latest phishing strategy.
In mid-October, TrickBot operators improved the capabilities of the BazarLoader backdoor to deploy Ryuk ransomware on high-value targets.
The malware was, furthermore, used in a phishing email campaign that pretended to spread information on the U.S. President’s COVID-19 illness.
In another phishing campaign, the backdoor used fake termination emails as a lure. The campaign used a phishing link to Google Docs from where the backdoor was downloaded.
BazarLoader’s strength lies in its stealthy core component and obfuscation capabilities. Such obfuscation qualities allow the crime group to maintain persistency on the host even if the third-party software gets detected by antivirus software.
Moreover, the ingenious use of blockchain by BazarLoader operators displays their ability to abuse legitimate services for nefarious activities.
Loaders are becoming an essential part of any cybercrime campaign. They start the infection chain by distributing the payload. In essence, they deploy and execute the backdoor from the C2 server and plant it on the victim’s machine. BazarLoader demonstrates tha alarming trend. Furthermore, the abuse of legitimate services and digital signatures for obfuscation represents the widespread use of deception techniques.