A new “enterprise-grade” backdoor malware program which shares code with the banking trojan TrickBot is used to gain unauthorized access to and compromise corporate networks.
According to the researchers the malware which has been tracked as BazarBackdoor is a stealthy backdoor and was being distributed via spear phishing campaigns luring the victims with topics such as customer complaints, coronavirus-related payroll reports and employee termination lists.
The emails which are sent through the Sendgrid marketing platform contain links to Word, Excel and PDF documents hosted on Google Docs. The victim on receiving the mail is made to believe that the doc can’t be viewed properly, and downloads a copy leading to infection.
The phishing campaign and backdoor were first identified by researchers at Panda Security. They reported in a company blog post that when the victim clicks on the link, an executable will be downloaded that uses an icon and a name associated with the kind of document that appears on the website. As Windows does not show file extensions by default, most users will simply see PreviewReport.DOC and will open the file, believing it to be a legitimate document.
The executable is a loader that secretly connects to a command-and-control server to download the main payload.
Panda Security believes that the operators of TrickBot are behind BazarBackdoor due to the similarity in the code.
The Palo Alto Networks researchers reported that TrickBot’s operators upgraded its “mworm” module to a new version called “nworm.”
This module was used to propagate from an infected Windows client to a vulnerable Domain Controller (DC). nworm leaves no artifacts on an infected DC, is run from system RAM, and disappears after reboot or shutdown without maintaining persistence.