June 2, 2020
By David Bisson 2 min read

Security researchers observed the Trickbot operators using a new backdoor called “BazarBackdoor” to gain full access to targeted networks.

Panda Security explained that Trickbot’s attempts to deliver BazarBackdoor began with a spear phishing campaign. That operation’s attack emails leveraged employee termination notices, customer complaints and other themes to trick recipients into clicking on a link for a file hosted on Google Docs. The links redirected victims to a website that informed the recipient that they needed to download the file directly in order to view it correctly.

When downloaded, the documents ran hidden executable code to call a loader. This asset remained quiet for a time before connecting with a command-and-control (C&C) server for the purpose of downloading BazarBackdoor. This malware shared parts of the same code along with delivery and operation methods employed by Trickbot, similarities that led Panda Security to speculate that the same actors were responsible for developing both threats.

Trickbot’s Activity Involving Other Backdoors

BazarBackdoor didn’t mark the first time that Trickbot has leveraged a backdoor in its attack efforts. Back in April 2019, Cybereason detected an attack campaign in which Emotet loaded Trickbot as a means to deploy Ryuk ransomware. In that attack, Trickbot used its reverse shell module, “dll.dll,” to perform reconnaissance so that it could eventually launch the Empire backdoor. In January 2020, Sentinel Labs observed Trickbot using “PowerTrick,” a backdoor that helped the malware conduct reconnaissance of and remain persistent on the networks of targeted financial institutions.

Defend Against BazarBackdoor

Security professionals can help defend their organizations against phishing attacks carrying BazarBackdoor by making sure that there’s an incident response (IR) plan in place that provides guidance on how to remediate a successful phishing attack. Having a plan is not enough; teams should also regularly test this strategy to ensure the plan works ahead of an attack. Additionally, infosec personnel should leverage ongoing phishing simulations to strengthen their employees’ defenses against email attacks.

 |  |  |  |  |  |  |  |  |  |  |  | 
David Bisson
Contributing Editor

More from

Cloud Security   June 30, 2023

Cloud Workload Protection Platforms: An Essential Shield

2 min read - Businesses of all sizes increasingly rely on cloud computing to power their operations. This shift has brought with it a new set of security challenges. To protect their workloads in the cloud, many of these businesses are deploying a critical tool for cloud security: cloud workload protection platforms (CWPPs).What are Cloud Workload Protection Platforms?CWPPs are comprehensive security solutions designed specifically for cloud-based environments. They provide advanced protection and threat detection capabilities to safeguard cloud workloads and guarantee the confidentiality, integrity…

2 min read
Risk Management   June 29, 2023

Is Open-Source Security a Ticking Cyber Time Bomb?

4 min read - Software depends on layers of code, and much of that code comes from open-source libraries. According to an Octoverse 2022 report, open-source code is used in 97% of applications. Not only do developers embrace open source, but so do nine in 10 companies. “Open-source software is the foundation of 99% of the world’s software,” Martin Woodward, VP of developer relations at GitHub, told VentureBeat.As the foundation of just about every piece of software, every application or device runs on code that…

4 min read
Threat Research   June 28, 2023

Threat Sharing Evolution: How Groups Offer Less Risk and Better Intelligence to Members

16 min read - Listen to this podcast on Apple Podcasts, Spotify or wherever you find your favorite audio content. In 2019, the World Economic Forum advocated for increased threat intelligence sharing by arguing that cybersecurity is a “public good.” Meaning, if organizations — both public and private — share threat information across groups, everyone has a clearer picture of the threat landscape and with it, the ability to better defend against increasingly aggressive and sophisticated threat actors. In response, multiple threat-sharing groups have sprung to life,…

16 min read
Risk Management   June 28, 2023

How to Manage Cyber Risk During Mergers and Acquisitions

4 min read - By attracting attention from threat actors, merger and acquisition (M&A) events are a significant source of cyber crime risk. So much so that, according to a 2020 IBM Institute of Business Value study, more than one in three executives said they experienced data breaches that can be attributed to M&A activity during integration.Security ratings, provided by security rating services (SRS), can deliver an overview of risk to stakeholders. But attack surface management (ASM) tools give security teams actionable insight on…

4 min read
© 2023 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature