A new family malware seems to be associated with them hacker hiding behind campaigns of Trickbot, a trojan that steals information. Her researchers Cybereason Nocturnus reported that since April, backdoor has been used in attacks targeting Europe and all USA. In particular, at the heart of these attacks were organizations related to the healthcare, IT, travel, construction, as well as financial institutions. In addition, the researchers noted that the first ones appeared in April variations of malware, however, then a "gap" of about two months was observed, with a new sample appearing in June, with improved code and corrections.
Trickbot is a banking trojan that steals information and is used on attacks aimed at financial services and organizations. Malware has evolved over the years, becoming a data stealer and botnet facilitator, with an infrastructure that makes it easy for its operators to modify the code and improve its offensive capabilities.
Earlier this year, Trickbot operators created the PowerTrick, a backdoor intended for "high value" goals. The introduction of Bazar malware, which is a combination loader and backdoor, is another "weapon" used in Trickbot campaigns.
The Phishing pandemic-related campaigns COVID-19, customer complaints and employee payroll are used to spread malware. While most Trickbot campaigns use malicious attachments, Bazar backdoor spreads via phishing e-mail sent through the email marketing platform Sendgrid, which link to landing pages with "bait" for previews of documents hosted in Google Docs.
In order to attract potential victims to download malicious documents, the pages claim that previews are not available. After downloading and executing the documents, the loader element leads to an infected system. In addition, Bazar and Trickbot loaders appear to have the same code. The loader will then try to import into svchost, explorer or cmd to make sure it runs automatically "at any cost", according to Cybereason, while a task is planned to load the malware at startup.
The Bazar backdoor is loaded directly into memory to prevent it from being detected. Bazar, from which three versions have been identified at various stages of development, collects and steals data systems, creates a connection to the command-and-control (C2) and can perform many functions. Features include creating a unique ID for each infected device, downloading and executing DLLs, terminating processes, and self-destructing.
According to Cybereason, the combination of loader and backdoor can be used to download and develop additional malware payloads, such as ransomware, as well as for extracting information and transferring it to the C2 of the attacker. Also, domains used to facilitate Bazar loader and backdoor are based on blockchain, including EmerDNS.
Cybereason researchers say that according to their research, the hackers took time to review and improve the Trickbot trojan code, making the malware more "insidious". Finally, they point out that although this malware is still in the development stages, the latest improvements and its reappearance may be a sign of the emergence of a new formidable threat.