Tuesday, January 19, 16:16
Home security Bazar backdoor is associated with Trickbot banking trojan campaigns

Bazar backdoor is associated with Trickbot banking trojan campaigns

A new family malware seems to be associated with them hacker hiding behind campaigns of Trickbot, a trojan that steals information. Her researchers Cybereason Nocturnus reported that since April, backdoor has been used in attacks targeting Europe and all USA. In particular, at the heart of these attacks were organizations related to the healthcare, IT, travel, construction, as well as financial institutions. In addition, the researchers noted that the first ones appeared in April variations of malware, however, then a "gap" of about two months was observed, with a new sample appearing in June, with improved code and corrections.

Trickbot is a banking trojan that steals information and is used on attacks aimed at financial services and organizations. Malware has evolved over the years, becoming a data stealer and botnet facilitator, with an infrastructure that makes it easy for its operators to modify the code and improve its offensive capabilities.
Earlier this year, Trickbot operators created the PowerTrick, a backdoor intended for "high value" goals. The introduction of Bazar malware, which is a combination loader and backdoor, is another "weapon" used in Trickbot campaigns.

The Phishing pandemic-related campaigns COVID-19, customer complaints and employee payroll are used to spread malware. While most Trickbot campaigns use malicious attachments, Bazar backdoor spreads via phishing e-mail sent through the email marketing platform Sendgrid, which link to landing pages with "bait" for previews of documents hosted in Google Docs.

In order to attract potential victims to download malicious documents, the pages claim that previews are not available. After downloading and executing the documents, the loader element leads to an infected system. In addition, Bazar and Trickbot loaders appear to have the same code. The loader will then try to import into svchost, explorer or cmd to make sure it runs automatically "at any cost", according to Cybereason, while a task is planned to load the malware at startup.

The Bazar backdoor is loaded directly into memory to prevent it from being detected. Bazar, from which three versions have been identified at various stages of development, collects and steals data systems, creates a connection to the command-and-control (C2) and can perform many functions. Features include creating a unique ID for each infected device, downloading and executing DLLs, terminating processes, and self-destructing.

According to Cybereason, the combination of loader and backdoor can be used to download and develop additional malware payloads, such as ransomware, as well as for extracting information and transferring it to the C2 of the attacker. Also, domains used to facilitate Bazar loader and backdoor are based on blockchain, including EmerDNS.

Cybereason researchers say that according to their research, the hackers took time to review and improve the Trickbot trojan code, making the malware more "insidious". Finally, they point out that although this malware is still in the development stages, the latest improvements and its reappearance may be a sign of the emergence of a new formidable threat.


Please enter your comment!
Please enter your name here

Every accomplishment starts with the decision to try.


VLC for macOS has been updated with full support for M1 Macs

VLC is one of the most popular media players and the macOS version is currently receiving a major update with full ...

Google Maps adds precise details to 4 city roadmaps

The Google Maps app received an update in August last year, which added more color to the physical maps to ...

Smartwatches may detect COVID-19 symptoms

Smartwatches and fitness wearables can play a valuable role in the early detection of COVID-19, according to some recent studies. Researchers from ...

The incidence of sextortion increased significantly during the pandemic period

With the outbreak of the COVID-19 pandemic, countries around the world have entered a lockdown regime, in an effort to ...

SpaceX launches the first Starlink satellite for 1

SpaceX will launch 60 satellites from the Kennedy Space Center in Florida on Wednesday. This will be the first launch of ...

Virgin Orbit: Sends nine satellites into space

Virgin Orbit, a California-based start-up, has launched its first rocket into orbit around the earth. One...

Samsung: Everything you need to know about the Galaxy S21, S21 Plus and S21 Ultra

The new flagships of Samsung, presented at a large Unpacked virtual event on January 14, are the ideal proposal of the series ...

FBI: Hackers target vishing attacks companies around the world!

The FBI warns of hackers carrying out ongoing vishing attacks, targeting companies around the world. Specifically, hackers seek to steal ...

The IObit Forum has been compromised to spread ransomware to its members

The Windows IObit utility developer hacked over the weekend to launch an extensive attack aimed at distributing ...

Stolen COVID-19 vaccine data was manipulated by hackers

A few weeks ago, hackers managed to steal information about vaccines for COVID-19, from the medical organization of the European Union ...