The TrickBot Trojan operators are distributing a new backdoor named BazarBackdoor in targeted phishing attacks on businesses. BazarBackdoor is a stealthy backdoor that gives the attackers full access to corporate networks.
The malware is being distributed via spear phishing emails that are well written and convincing. Several different lures are used in the campaign including employee termination lists, customer complaints, and corona-virus themed payroll reports. The emails do not use attachments, instead they have an embedded hyperlink that recipients have to click to view the document referenced in the email. Clicking the link directs the user to Google Docs.
When the user follows the link they will be presented with an error message stating the file cannot be viewed and they must download the file to view it. The file appears to be a Word document, but it has a double extension and is actually an executable file. In the default configuration Windows does not show file extensions, so the user may mistakenly believe the file is a Word document. The downloaded file is named – PreviewReport.DOC.exe – but users would only see PreviewReport.DOC.
Executing the file will launch a malware loader silently in the background which connects to the attacker’s command and control server. Once the connection is established, BazarBackdoor will be downloaded.
The phishing campaign and backdoor were first identified by researchers at Panda Security. In a recent blog post they explained that the backdoor is enterprise-grade malware, which shares some of its source code with the TrickBot Trojan. The phishing campaigns used to deliver the backdoor are also similar to those used by the operators of TrickBot, which strongly suggests the malware has been developed by the same people responsible for the TrickBot Trojan.
The backdoor gives the attackers full access to corporate networks, which allows them to steal sensitive data and intellectual property and download other malware or ransomware payloads.