BazarBackdoor malware: What it is, how it works and how to prevent it | Malware spotlight

Introduction to BazarBackdoor

BazarBackdoor is a new malware with the ability to install various types of malicious programs on the infected computers. It is believed to be created by the developers of the TrickBot Trojan, a banking Trojan infecting Windows machines. This is because BazarBackdoor exhibits code and other similarities with TrickBot Trojan.

The operation of BazarBackdoor

BazarBackdoor spreads itself through phishing messages purporting to be from legitimate senders. For example, the messages may include COVID-19-related payroll reports and lists of terminated employees. The potential victim needs to click on a link to documents that appear to be stored on Google Docs. After clicking on that link, he or she will be redirected to customized landing pages appearing to be PDF, Word or Excel documents.

The landing pages ask the potential victim to click on a link to view the attachments. After clicking on the link, an executable file will be downloaded that relates to the name of the file appearing on the landing page. For instance, a landing page regarding COVID-19 reports will trigger the download of the file “PreviewReport.Doc.exe”. Since extensions of files stored on Windows computers are usually not displayed by default, most Windows users will see the stored file as “PreviewReport.Doc” instead of “PreviewReport.Doc.exe”. The executable file, also known as BazaLoader, is a loader of a backdoor.

If the victim opens BazaLoader, it will be installed on the infected computer and remain inactive for a short time. Next, it will connect to a command-and-control server with the aim to download a backdoor. When the backdoor is installed, it will download and launch Cobalt Strike, a legitimate information security application. Fraudsters often use cracked versions of Cobalt Strike to spread throughout a network, deploy malware and steal credentials.

Defending against (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Daniel Dimov. Read the original post at: