Get best of the week

BazarBackdoor: New Entry Point to Enterprise Systems



In mid-March, the number of brute force attacks on RDP connections increased sharply . The purpose of these attacks was to take advantage of the sudden increase in the number of remote workers and gain control of their corporate computers.

Information security experts have discovered a new phishing campaign that promotes a hidden backdoor called BazarBackdoor (the new malware from TrickBot operators), which can be used to hack and gain full access to corporate networks.

As with 91% of cyber attacks , this attack begins with a phishing email. Various topics are used to personalize emails: customer complaints, salary reports on the topic of coronavirus, or employee lay-off lists. All of these letters contain links to documents hosted by Google Docs. Cyber ​​criminals use the Sendgrid marketing platform to send malicious emails.



This campaign uses the so-called “spear phishing”, which means that the criminals have made every effort to make the websites linked to in emails seem legitimate and relevant to the subject of emails.

Malicious Documents


The next step in the campaign with BazarBackdoor is to get the victim to download the document. These “dummy” websites have problems displaying files in Word, Excel or PDF format, and therefore users are prompted to download a document so that they can view it locally on their computer.

When the victim clicks on the link, an executable file is downloaded that uses the icon and name associated with the type of document displayed on the website. For example, using the “Payroll Report during COVID-19" link, a document called PreviewReport.doc.exe will be downloaded. Since Windows does not show file extensions by default, most users will simply see PreviewReport.doc and open this file, believing that it is legitimate document.

Hidden backdoor


The executable file hidden in this malicious document is the bootloader for BazarBackdoor. When a user launches a malicious document, the bootloader remains hidden for a short time before connecting to an external management server to download BazarBackdoor.

To obtain the address of the management server, BazarLoader will use the Emercoin decentralized DNS service to obtain various host names using the bazar domain. The bazar domain can only be used on Emercoin DNS servers, and since it is decentralized, it makes it difficult (if not impossible) for law enforcement agencies to trace the required host.

Host names used for management servers:

  • forgame.bazar
  • bestgame.bazar
  • thegame.bazar
  • newgame.bazar
  • portgame.bazar

As soon as the IP address of the management server is received, the bootloader will first connect to one C2 and complete the registration. According to experts who tested this backdoor, this request always returned an HTTP 404 error code. The



second request, C2, however, loads the encrypted XOR payload, which is a malicious program, the BazarBbackdoor backdoor.



After the payload is loaded, it will be embedded in a fileless way into the process C: \ Windows \ system32 \ svchost.exe. Safety researcher Vitali Kremez , who published the technical report , told BleepingComputer that this is done using the Process Hollowing and Process Doppelgänging methods .



As Windows users get used to the svchost.exe processes running in the Task Manager, another svchost.exe process is unlikely to arouse suspicion among most users.

The scheduled task will also be configured to start the bootloader when the user logs into Windows, which will allow you to regularly download new versions of the backdoor and enter them into the svchost.exe process.



Later, security researchers Kremez and James reported that the backdoor downloads and executes a Cobalt Strike penetration test and a special set of utilities for the subsequent operation of this machine on the victim’s computer.

Cobalt Strike is a legitimate information security application that is promoted as an “adversary modeling platform” and is designed to perform a network security assessment against a simulated complex threat that an attacker is trying to keep on the network.

However, attackers often use hacked versions of Cobalt Strike as part of their toolkit when spreading threats across the network, stealing credentials, and deploying malware.

When implementing Cobalt Strike, it’s obvious that this hidden backdoor is used to secure positions in corporate networks so that cryptographers can be introduced, steal data or sell network access to other attackers.

Similarities between BazarBackdoor and TrickBot


BazarBackdoor is an enterprise class malware. Information security researchers believe that this backdoor was most likely developed by the same team that developed the TrickBot Trojan: both malicious programs have parts of the same code, as well as the same delivery methods and working principles.

The dangers of backdoors


In any complex attack, whether it is extortion, industrial espionage or the extraction of corporate data, the availability of this kind of access is extremely important. If a cybercriminal manages to install BazarBackdoor in the company's IT system, this can be a serious danger, and given the volume of emails sent using this backdoor, this is a common threat.

As we have seen, BazarBackdoor can be an entry point for a wide range of criminal tools and tools. In this regard, it is imperative that enterprises are reliably protected in order to prevent potential damage from threats of this kind.

Source: BleepingComputer

More articles:


All Articles