In response to reports that a new phishing campaign is delivering a new stealthy backdoor from the developers of TrickBot that is used to compromise and gain full access to corporate networks, a cybersecurity expert provides insight on this new phishing campaign.
The people who created Trickbot have released a new, upgraded malware call BazarBackdoor. It’s primary method of entry is through phishing campaigns loaded with malicious attachments, such as PDFs, Word documents and Excel spreadsheets. When you click on the attachment, a pop-up appears indicating you need to download the document. As Windows doesn’t have a default file extension, it appears as legitimate. By clicking on it, or viewing in preview, the unsuspecting user inadvertently creates the malware backdoor.
BazarBackdoor is a lightweight malware designed for evading detection. It’s a fileless loader that has two parts: installer and bot. The bot, once loaded, can execute binaries, scripts, modules, kill processes and remove itself from the device.
It uses a crypter shared by Trickbot with the the VirtualAllocExNuma API and RC4 decoder sequence and it loads in the registry’s currentversion\\run.
The malware decryption routine is:
;const char *Encrypt_Decrypter()
; {
; …
; BYTE key = key;
; for (int i = 0; i < len; i++) ; { ; ptr[i] = ptr[i + 1] ^ key; ; key++; ; } ; } Host names for it’s C2 server are: forgame.bazar bestgame.bazar thegame.bazar newgame.bazar portgame.bazar