Home Malware Programs Backdoors BazarBackdoor

BazarBackdoor

Posted: April 27, 2020

BazarBackdoor is a backdoor Trojan that grants attackers administrative access to the system. BazarBackdoor also may download and run other threats, such as a cracked variant of the Cobalt Strike program. Users in corporate environments should be alert to phishing attacks particularly and use dedicated anti-malware solutions for removing BazarBackdoor if necessary.

A New Trick from Old Bot Masters

The developers of Trojan.Trickbot, a bank account-compromising threat, are either offering new wares to threat actors or maintaining a campaign unto themselves in BazarBackdoor. BazarBackdoor is a three-part hazard with optimizations against corporate network security, with victims in various industries confirming live attacks involving it. The source is phishing messages, and the result is Cobalt Strike.

The phishing tactic is a series of e-mail messages carrying various documents, such as lawyer notifications, invoices, or COVID-19 warnings (sharing a theme with many 2020 threats, like CoronaLocker and SARS-CoV-2 Ransomware). However, the contents link to downloads with the pretense of being so-called advanced content, previews, etc. Users clicking the links download an executable, with icons and names reminiscent of Word documents, Adobe PDFs and so forth.

This attack doesn't install BazarBackdoor directly. First, it runs through a Trojan downloader sequence with BazarLoader (according to its internal name), which downloads BazarBackdoor from a decentralized server and injects it into 'svchost' memory with a standard, process-hollowing technique. This choice is an easy disguise for a Windows environment due to the omnipresence of one or more svchost processes.

As far as malware analysts can discern, BazarBackdoor's primary purpose is enabling the installation of Cobalt Strike, a network attacker-simulating tool. Cracked versions of Cobalt Strike, as per Cobalt, Rocke Cryptojacking, and PyXie RAT, let the attacker traverse the network and gain in-depth control over breached PCs.

Swinging Doors Shut on Tricky Software

BazarBackdoor borrows many internal, structural elements from Trojan.Trickbot, but, unlike that threat, isn't a dedicated banking Trojan for targeting financial accounts. However, the general-purpose flexibility of Cobalt Strike makes BazarBackdoor infections into possible footholds for multiple attacks. Threat actors could be after private information for collecting, ransoming files after encrypting them or building a cryptocurrency-mining botnet.

Conveniently, users guarding against Trojan.Trickbot tactics by the previously-noted vectors will receive equal protection against BazarBackdoor. Employees should always scan files for potential threats before opening them, be wary about enabling additional restricted content, and allow visible extensions for seeing exact filenames. In conjunction with common-sense awareness of modern-day phishing themes, most business networks should remain safe.

Network breaches should receive resolution through anti-malware technology for deleting BazarBackdoor and Cobalt Strike immediately before all affected users change critical information like passwords. BazarBackdoor is, unsurprisingly, capable of running on most versions of Windows.

BazarBackdoor is part of a sadly-common story of White Hat software's abuse by bad actors. Whether it's Cobalt Strike, Hidden Tear, or something else, criminals with the mind towards doing so can twist almost any software towards unfortunate and business-costly results.

Loading...