Expert Insight On Group Behind TrickBot Spreads Fileless BazarBackdoor

The people who created Trickbot have released a new, upgraded malware call BazarBackdoor. It’s primary method of entry is through phishing campaigns loaded with malicious attachments, such as PDFs, Word documents and Excel spreadsheets. When you click on the attachment, a pop-up appears indicating you need to download the document. As Windows doesn’t have a default file extension, it appears as legitimate. By clicking on it, or viewing in preview, the unsuspecting user inadvertently creates the malware backdoor. BazarBackdoor is a lightweight malware designed for evading detection. It’s a fileless loader that has two parts: installer and bot. The bot, once loaded, can execute binaries, scripts, modules, kill processes and remove itself from the device. It uses a crypter shared by Trickbot with the the VirtualAllocExNuma API and RC4 decoder sequence and it loads in the registry’s currentversion\run. The malware decryption routine is: ;const char *Encrypt_Decrypter() ; { ; ... ; BYTE key = key; ; for (int i = 0; i < len; i++) ; { ; ptr[i] = ptr[i + 1] ^ key; ; key++; ; } ; } Host names for it’s C2 server are: forgame.bazar bestgame.bazar thegame.bazar newgame.bazar portgame.bazar  Read Less