In a new wave of phishing attacks, a new malware named ‘BazarBackdoor’, or internally by the malware developers as simply “backdoor”, is being installed that deploys a network-compromising toolkit for the threat actors. The malware has similarities to TrickBot trojan and developers of this malware are likely to be the ones behind Trickbot as well.
The initial attack starts with phishing campaigns that utilize a wide variety of lures such as customer complaints, COVID-19 themed payroll reports and employee termination lists that contain links to documents hosted on Google Docs.
Threat actors have worked specifically on the landing page to ensure that the victim falls prey to the lure and a lot of styling and detailing has been done to make sure that the landing page looks authentic.
Fake payroll template
Fake customer complaint template
When the link is clicked, an executable will be downloaded instead that uses an icon and name associated with the icon shown on the landing page.
After a victim launches the downloaded file, the loader will sleep for a short period of time and then connect to command and control servers to check-in and download the backdoor payload. After the payload is downloaded, it will be filelessly injected into the C:\Windows\system32\svchost.exe process.
A scheduled task will also be configured to launch the loader when a user logs into Windows, which will allow new versions of the backdoor to be routinely downloaded and injected into the svchost.exe process.