His gang TrickBot aims for more and more goals "high valueUsing a relatively new one trojan, with the name BazarLoader. After the initial infection with BazarLoader, various can be installed malware. In the final stage, the Ryuk ransomware.
For years, the TrickBot gang has been using trojans to put in risk corporate networks by downloading various software used for code theft access, spread to others computers or even stealing an Active Directory database of a domain.
From TrickBot to BazarLoader
In April 2020, the TrickBot gang began using a new method of infection, BazarLoader / BazarBackdoor, in phishing attacks.
Her researchers Advanced Intel stated in a report that the gang does not infect the victims with the infamous TrickBot trojan, but with BazarLoader. This has been observed at least in recent months. The goal is mainly “high value” corporate networks.
According to researchers, BazarLoader is very simple but manages to cause great damage to systems of the victims.
A BazarLoader infection starts with a targeted phishing attack, as seen in an email received by BleepingComputer in April.
After infecting a computer, BazarLoader will use “process hollowing”To put the BazarBackdoor component in legal Windows processes such as cmd.exe, explorer.exe and svchost.exe. This process creates a scheduled task that loads BazarLoader each time a user logs on to the system.
Eventually, BazarBackdoor will develop one Cobalt Strike beacon, which allows attackers to acquire remote access in the system and install post-exploitation tools, As the BloodHound and Lasagna to gain control of a Windows domain and export credentials.
Eventually, the attack is exploited by criminals who develop it Ryuk ransomware throughout the network and require ransom.
According to researcher Kremez, the Bazarloader will continue to be used but for selected purposes, as it is now. For more massive network breaches, attackers will continue to use TrickBot.