Expert Insight On Group Behind TrickBot Spreads Fileless BazarBackdoor

By   ISBuzz Team
Writer , Information Security Buzz | Apr 28, 2020 05:05 am PST

In response to reports that a new phishing campaign is delivering a new stealthy backdoor from the developers of TrickBot that is used to compromise and gain full access to corporate networks, a cybersecurity expert provides insight on this new phishing campaign.

Notify of
1 Expert Comment
Oldest Most Voted
Inline Feedbacks
View all comments
TJ Short
TJ Short , VP of Security Operations
April 28, 2020 1:09 pm

The people who created Trickbot have released a new, upgraded malware call BazarBackdoor. It’s primary method of entry is through phishing campaigns loaded with malicious attachments, such as PDFs, Word documents and Excel spreadsheets. When you click on the attachment, a pop-up appears indicating you need to download the document. As Windows doesn’t have a default file extension, it appears as legitimate. By clicking on it, or viewing in preview, the unsuspecting user inadvertently creates the malware backdoor.

BazarBackdoor is a lightweight malware designed for evading detection. It’s a fileless loader that has two parts: installer and bot. The bot, once loaded, can execute binaries, scripts, modules, kill processes and remove itself from the device.

It uses a crypter shared by Trickbot with the the VirtualAllocExNuma API and RC4 decoder sequence and it loads in the registry’s currentversion\\run.

The malware decryption routine is:

;const char *Encrypt_Decrypter()
; {
; …
; BYTE key = key;
; for (int i = 0; i < len; i++) ; { ; ptr[i] = ptr[i + 1] ^ key; ; key++; ; } ; } Host names for it’s C2 server are: forgame.bazar bestgame.bazar thegame.bazar newgame.bazar portgame.bazar

Last edited 3 years ago by TJ Short

Recent Posts

Would love your thoughts, please comment.x