In response to reports that a new phishing campaign is delivering a new stealthy backdoor from the developers of TrickBot that is used to compromise and gain full access to corporate networks, a cybersecurity expert provides insight on this new phishing campaign.

Experts Comments

April 28, 2020
TJ Short
VP of Security Operations
Cerberus Sentinel
The people who created Trickbot have released a new, upgraded malware call BazarBackdoor. It’s primary method of entry is through phishing campaigns loaded with malicious attachments, such as PDFs, Word documents and Excel spreadsheets. When you click on the attachment, a pop-up appears indicating you need to download the document. As Windows doesn’t have a default file extension, it appears as legitimate. By clicking on it, or viewing in preview, the unsuspecting user inadvertently.....Read More
The people who created Trickbot have released a new, upgraded malware call BazarBackdoor. It’s primary method of entry is through phishing campaigns loaded with malicious attachments, such as PDFs, Word documents and Excel spreadsheets. When you click on the attachment, a pop-up appears indicating you need to download the document. As Windows doesn’t have a default file extension, it appears as legitimate. By clicking on it, or viewing in preview, the unsuspecting user inadvertently creates the malware backdoor. BazarBackdoor is a lightweight malware designed for evading detection. It’s a fileless loader that has two parts: installer and bot. The bot, once loaded, can execute binaries, scripts, modules, kill processes and remove itself from the device. It uses a crypter shared by Trickbot with the the VirtualAllocExNuma API and RC4 decoder sequence and it loads in the registry’s currentversion\run. The malware decryption routine is: ;const char *Encrypt_Decrypter() ; { ; ... ; BYTE key = key; ; for (int i = 0; i < len; i++) ; { ; ptr[i] = ptr[i + 1] ^ key; ; key++; ; } ; } Host names for it’s C2 server are: forgame.bazar bestgame.bazar thegame.bazar newgame.bazar portgame.bazar  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.