Over the past two weeks security researchers have observed a new phishing campaign that aims to infect corporate networks with a new backdoor dubbed BazarBackdoor. The backdoor, which is believed to has been created by the developers behind TrickBot malware, serves as a tool kit for hackers to gain access to an enterprise’s network.
The campaign involves phishing attacks that deliver emails with a wide variety of COVID-19 themed lures to employees via the Sendgrid marketing platform containing links to documents hosted on Google Docs, according to Bleeping Computer.
Once the email is opened, the user is prompted to click on the link to view the document (which may come in the form of a Word document, Excel spreadsheet, or PDF), but, when the link is clicked, an executable will be downloaded that uses an icon and name associated with the icon shown on the landing page.
This executable is the BazaLoader loader that downloads the backdoor on the computer. Once the downloaded file is launched, after a short period of inactivity the loader will attempt to connect to command and control server (C&C) to check-in and download the BazarBackdoor malware.
In order to find the Bazar domain BazarBackdoor contacts the C&C server via Emercoin Decentralized DNS, which makes it harder to low enforcement to seize the hostname.
After the payload is downloaded, it will be filelessly injected into the C:Windowssystem32svchost.exe process using the Process Hollowing and Process Doppelgänging techniques. The backdoor then downloads and executes the Cobalt Strike penetration testing and post-exploitation toolkit on the host machine. The Cobalt Strike tool is actually used for network security assessment, although cyber criminals often use cracked versions of the software to spread laterally throughout a network, steal credentials, and drop malware.
"This is another high-profile project developed by the same core team as TrickBot due to the spam origin, method of operation, and code overlap analysis," security researcher Vitali Kremez said.
The researchers said the BazarBackdoor malware poses a significant threat to corporate networks, as it can be used to stealthily deploy ransomware or conduct other attacks.