BazarBackdoor

The BazarBackdoor Trojan is a utility that is likely created by the same cyber crooks who are behind the infamous TrickBot banking Trojan. However, there are significant differences between the two hacking tools. The TrickBot banking Trojan is a tool designed to collect financial information from its targets, such as login credentials to banking portals. The BazarBackdoor tool does not serve this purpose. The goal of the BazarBackdoor utility is to allow its operators to plant additional malware on the infected systems. This means that the operators of the BazarBackdoor tool would be able to deploy various other threats that will help them collect information, alter the settings of the host, carry out reconnaissance operations, etc. This makes the BazarBackdoor threat a highly harmful piece of malware.

This Week In Malware Episode 20 Part 2: Bazar Malware Linked to Trickbot Banking Trojan Campaigns to Steal Personal Data

According to researchers, the BazarBackdoor malware is being propagated with the help of spam emails. The cyber crooks behind the BazarBackdoor threat are likely to tailor the emails differently in each campaign. Some of the corrupted emails may claim to contain urgent information regarding the Coronavirus, while others may appear to include important details such as job offers, government announcements, etc. Instead of using corrupted attached files, the attackers have chosen to link users to a bogus Google Docs page, which appears to host a document that cannot be viewed by the victim. The fraudulent Google Docs page offers a download link that would allow the users to get hold of the document and view it. However, if they try to download the file offered by the dodgy page, they will get a copy of the BazarBackdoor malware instead of obtaining a legitimate document.

To conceal the true nature of the corrupted file, the attackers have opted to utilize a very old, basic trick – the double extension. Windows hides extensions by default, which allows this trick to work. For example, a file named ‘CV.pdf.exe’ would appear as ‘CV.pdf’ and may trick users into believing that this is nothing more than a harmless document.

Backdoors like the recently discovered BazarBackdoor are needed for advanced network attacks. These attacks involve corporate espionage, data exfiltration, and corporation-scale ransomware attacks. Hackers must be able to get in without raising the alarm, hence the need for a stealthy backdoor.

It All Begins with a Phishing Attack

The standard BazarBackdoor attack begins with a phishing campaign. This campaign uses a wide range of lures to trick victims, including customer complaints, employee termination lists, and financial reports. BazarBackdoor adds an extra layer to the attack by wrapping everything up neatly in COVID-19 packaging to make everything seem more legitimate and urgent.

BazardBackdoor stands out for taking a more serious approach to landing pages involved with the lures. Not every ATP will put so much thought into making landing pages look legitimate. As you can see in the screenshot below, there’s a page that uses a COVID-19 related payroll report to trick victims.

The landing pages all pretend to be official documents, spreadsheets, or PDF files that can’t be opened correctly. Users are prompted to access a link in order to see the document. What happens when they click that link is that the virus executable is downloaded instead.

The executable file is disguised as another kind of file to trick people. The payroll report, for example, would be called something like PreviewReport.DOC.exe. Given that most people don’t have file extensions displayed, people will read the file name and assume that it is a legitimate document, not realizing it is actually an executable file.

The executable file loads up the backdoor virus and installs it on an infected computer.

Upon infecting the targeted system, the BazarBackdoor malware will inject its corrupted code in a fake process called ‘svchost.exe,’ which sounds vague and will likely not attract the attention of the victim. Next, the BazarBackdoor threat will connect to the operators’ C&C (Command & Control) server. So far, the authors of the BazarBackdoor malware appear to be using this hacking tool to deliver a cracked version of the Cobalt Strike tool. The Cobalt Strike utility is a genuine testing platform used by cybersecurity analysts, which also is utilized by cyber crooks in their harmful operations.

The Attachment loads the Backdoor

The loader sits quietly for a period after launch. It then connects to the command and control server to download the actual payload for the backdoor.

BazarBackdoor uses the Emercoin decentralized DNS resolution service to find the command and control servers. The virus looks for the "Bazar" domain, which is only active on the DNS servers. Given the decentralized nature of the servers, it is almost impossible for law enforcement to seize the hostname and track the criminals.

After finding and connecting to a C2 server, the loader checks in twice, the first request will be denied, but the second leads to a download of an encrypted payload, believed to be the actual BazarBackdoor malware.

The payload is injected into the SVCHost process filelessly. Users are used to seeing the SVCHost processes when checking Task Manager that they aren’t likely to notice another one. This is how the virus hides in plain sight on a system.

The virus also creates a scheduled task to launch the loader upon system startup and log-in. This change means that the loader regularly connects to the server and downloads updated versions of the backdoor when they are made available.

BazarBackdoor reportedly downloads other toolkits, including the Cobalt Strike penetration testing toolkit. Cybersecurity researchers use cobalt Strike as a way to simulate a viral attack. Cobalt Strike performs network security assessments against simulated threats on a network.

Attackers use a cracked version of the software as part of their toolkit, effectively reverse engineering it to steal credentials and drop malware across a network.

The use of Cobalt Strike makes it evident that the backdoor is used to gain access to corporate machines to deploy ransomware, steal data and credentials, and so that hackers can sell access to the network to other parties.

The Connection to TrickBot

According to security researchers, there is proof that this virus could be connected to the team behind the notorious Trojan TrickBot. The method of operation, origins in spam, and similar code mark the two malware as being developed by the same people.

Another connection between the two is that the TrickBot Anchor Project uses Emercoin DSN resolution to communicate with C2 servers, just like BazarBackdoor. Even the TLS communications used certificates created similarly.

Given how many phishing emails are sent out with this backdoor attached to them, BazarBackdoor is a severe threat to corporate networks. The backdoor can install malware and ransomware to corporate servers. Businesses should keep an eye out for the virus and make sure employees understand how to spot fake emails.