Group Behind TrickBot Spreads Fileless BazarBackdoor
April 27, 2020
A new campaign is propagating a new malware named “BazarBackdoor,” a fileless backdoor reportedly created by the same threat actors behind TrickBot, as reported by BleepingComputer. The conclusion is drawn due to similarities in code, crypters, and infrastructure between the two malware variants.The social engineering attacks that were used to spread the backdoor leverage topics such as customer complaints, Covid-19-themed payroll reports, and employee termination lists for the emails they send out. The messages have links to Google Docs files. Once the users click the links, they will be redirected to a landing page. The pages state that the Word Document, Excel Spreadsheet, or PDF cannot be properly viewed. It then instructs the user to click on a link to open the file.
Clicking on the link downloads an executable that masquerades through icons and names associated with the mentioned file types. For instance, the supposed customer complaint document will be downloaded as Preview.PDF.exe, which uses the PDF icon. Since the file extension is hidden by default, the file will convincingly appear as a PDF file.
The disguised executable serves as the loader for the backdoor. After launching the file, the loader sleeps for some time, then connects to command and control (C&C) servers to check-in and download the payload. The payload will then be injected filelessly into C:\Windows\system32\svchost.exe through process hollowing and process doppelgänging techniques. The backdoor will be installed on the computer.
This sets a scheduled task that launches the loader every time the user logs into Windows, which makes way for new versions of the backdoor to be downloaded and injected into svchost.exe. Security researchers Vitali Kremez and James revealed that this malware was most likely created by the threat actors behind TrickBot trojan. This is because both malware types use the same crypter and email chain deliverables. Both malware also utilize the Emercoin DNS resolution service for C&C server communication.
Defense against fileless threats
Fileless threats are stealthy and difficult to detect because they take advantage of existing applications to infiltrate and attack systems. However, users can still defend against these malware types by adhering to the following best practices:
- Secure possible entry points. Malicious sites, spam, and third-party components like browser plug-ins can all be sources of fileless malware. Be cautious when downloading attachments and other files, and never click links from unfamiliar sources.
- Reboot device and change passwords. In case of infection, users can stop fileless attacks that do not employ persistence techniques by restarting the device. As an extra precaution, users should also change their passwords.
- Utilize behavior monitoring and analysis. These can detect and block malicious behaviors and routines associated with malware, stopping threats before they can reach the system.
To further secure the system, the following security solutions are recommended:
- Trend Micro Apex One™– Employs behavior analysis to protect systems against malicious scripts, injection, ransomware, and memory and browser attacks related to fileless threats.
- Trend Micro Apex One Endpoint Sensor – Through Endpoint Detection and Response (EDR) and X Detection and Response (XDR), monitors events and processes that trigger malicious activity.
- Trend Micro Worry-Free Services – Utilizes behavior monitoring to detect script-based, fileless threats, preventing malware from entering the system.
Indicators of Compromise
| SHA-256 | Detection Name |
| 11b5adaefd04ffdaceb9539f95647b1f51aec2117d71ece061f15a2621f1ece9 | Trojan.Win64.TRICKBOT.CFI |
| 1e123a6c5d65084ca6ea78a26ec4bebcfc4800642fec480d1ceeafb1cacaaa83 |
Trojan.Win64.TRICKBOT.CFJ |
| 37d713860d529cbe4eab958419ffd7ebb3dc53bb6909f8bd360adaa84700faf2 | Trojan.Win64.TRICKBOT.CFL |
| 4e4f9a467dd041e6a76e2ea5d57b28fe5a3267b251055bf2172d9ce38bea6b1f | Trojan.Win64.TRICKBOT.CFK |
| 55d95d9486d77df6ac79bb25eb8b8778940bac27021249f779198e05a2e1edae | TrojanSpy.Win64.LOKI.A |
| 5a888d05804d06190f7fc408bede9da0423678c8f6eca37ecce83791de4df83d | Trojan.Win64.TRICKBOT.CFL |
| 5dbe967bb62ffd60d5410709cb4e102ce8d72299cea16f9e8f80fcf2a1ff8536 | TrojanSpy.Win32.TRICKBOT.THAOFBO |
| 6cbf7795618fb5472c5277000d1c1de92b77724d77873b88af3819e431251f00 | Trojan.Win32.TRICKBOT.TIGOCBAINS |
| 835edf1ec33ff1436d354aa52e2e180e3e8f7500e9d261d1ff26aa6daddffc55 | TrojanSpy.Win64.LOKI.A |
| 859fa9acf0b8a989a1634a1eee309355438b9f6b6f73b69f12d53ac534618c6a | Trojan.Win64.TRICKBOT.CFK |
| a76426e269a2defabcf7aef9486ff521c6110b64952267cfe3b77039d1414a41 | Trojan.Win64.TRICKBOT.CFJ |
| c55f8979995df82555d66f6b197b0fbcb8fe30b431ff9760deae6927a584b9e3 | Trojan.Win64.TRICKBOT.CFL |
| ce478fdbd03573076394ac0275f0f7027f44a62a306e378fe52beb0658d0b273 | Trojan.Win64.TRICKBOT.CFM |
| e90ccb9d51a930f69b78aa0d2612c4af2741311088b9eb7731857579feef89c3 | Trojan.Win64.TRICKBOT.CFL |
HIDE
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.
Posted in Cybercrime & Digital Threats
Recent Posts
- Lost in Translation: When Industrial Protocol Translation goes Wrong
- Unveiling the Hidden Risks of Industrial Automation Programming
- Online Dating Websites Lure Japanese Customers to Scams
- Application Security 101
- Hacker Infrastructure and Underground Hosting 101:Where Are Cybercriminal Platforms Offered?
Lost in Translation: When Industrial Protocol Translation goes Wrong
Application Security 101
Know the Symptoms: Protect Your Devices While Working From Home 
Alexa and Google Home Devices can be Abused to Phish and Eavesdrop on Users, Research Finds