Cybersecurity Threat Advisory: Heightened Attack Activity Involving Trickbot Variant 'Bazar Backdoor'

As part of our effort to inform our clients about potential and serious cybersecurity issues, MCP provides advisories about vulnerabilities and exploits that could threaten the operations of their mission-critical communications networks. Sign up to receive these advisories in your inbox as soon as they are released.

This week, there is a new critical alert that requires the mission-critical communications community’s immediate attention.

Advisory Summary

The Mission Critical Partners’ security operations center (SOC) recently observed an uptick in attack activity involving an emerging Trickbot variant known as Bazar Backdoor. Trickbot is a banking trojan and information stealer that has evolved in recent years to fill additional malware roles. Security researchers believe Bazar Backdoor is a new variant of the Trickbot malware family due to similarities found in the source code. Bazar Backdoor is a sophisticated threat in the sense that it is designed to have low detection capability and the potential impact is severe.

Technical Detail and Additional Information

What Is the Threat?

The new variant utilizes advanced phishing techniques to lure targets into downloading the malware on a host. These lures use a variety of themes, such as COVID-19 and payroll information, to entice users to click a link and continue the attack. Typically, these emails have links that direct the user to a Google Docs page with a fraudulent landing page designed to mimic Microsoft files or PDFs. When the link is clicked, an executable file will be downloaded that utilizes an icon that matches whatever file type the landing page was mirroring. Once this executable file is opened on by the user, the backdoor exploit will be installed on the target host.

Why is this Noteworthy?

Once installed, the backdoor exploit injects itself into legitimate processes to obfuscate its existence on the network and adds the processes to scheduled tasks to maintain persistence. These tactics, combined with the sophisticated phishing campaign, make this variant a potent threat that is difficult to detect.

The malicious emails associated with these attacks utilize the legitimate email service Sendgrid to launch the phishing campaigns, and the themes used to lure users are generalized and appeal to a wide target base. The use of a legitimate email server further complicates detection methods and adds a perception of legitimacy to the email, which can fool unaware users. Additionally, the increased numbers of individuals working from home, and varying levels of user security awareness, can leave any organization open to attack. It only takes one careless or unaware user to click on a link that can result in a complete disruption of business operations.

What Are the Recommendations?

Mission Critical Partners recommends providing security awareness training within your organization and following best practices to protect your company and its data against phishing and other social-engineering attacks. Specific actions include the following:

• Deploy strong endpoint protection to stop malware pre-execution
• Deploy strong email protection to combat against phishing attacks
• Avoid interacting with emails from unknown sources
• Frequently back up device files. If the confidentiality, integrity and/or availability of data is impacted, it is imperative to have clean backups at hand
• Implement security monitoring, such as MCP’s Mission-Critical NetPulse® Secure cybersecurity monitoring solution, to detect signs of malware and intrusion

Related Posts

Cybersecurity Threat Advisory: Microsoft’s Patch Critical RCE Flaws

Security Training: A Key Element of a Strong Cyberrisk Prevention Program

Build a Smart PSAP Cyber Security Strategy: 8 Critical "Must-Haves"