BazarBackdoor: new entry point into corporate systems

BazarBackdoor: new entry point into corporate systems

In mid-March, sharply increased the number of attacks such as brute force on RDP connection. The purpose of these attacks was to take advantage of the sudden increase in the number of remote workers and to gain control over their corporate computers.

The information security specialists have discovered a new phishing campaign, “promoting a” hidden backdoor called BazarBackdoor (new malware operators TrickBot), which can be used to hack and gain full access to corporate networks.
As in the case of 91% of cyber attacksthis attack starts with a phishing email. To personalize emails using various themes: customer complaints, compensation reports on the subject of coronavirus or a list of layoffs of employees. All these letters contain references to documents published in Google Docs. To send malicious emails, cyber criminals use a marketing platform Sendgrid. This campaign uses the so-called “spear phishing” (spear phishing), which means that the criminals made every effort to ensure that websites, links to which were sent in the emails that seemed legitimate and consistent with the subject e-mails.
Malicious documents
The next step in the campaign BazarBackdoor is to get the victim to download the document. These “fake” web sites experience problems with displaying files in Word, Excel or PDF, so users are encouraged to download the document to be able to view it locally on your computer.

When the victim clicks on the link, downloaded the executable file that uses the icon and name associated with the document type displayed on the web site. For example, the link “Report on wages during COVID-19″ will load the document under the name PreviewReport.doc.exe. Since Windows by default does not show file extensions, most users will just have to see PreviewReport.doc and open this file, assuming that it is a legitimate document.

Hidden backdoor

The executable hidden in the malicious document is the loader for BazarBackdoor. When the user runs the malicious document, the loader remains hidden for a short time before you connect to the external management server to download the BazarBackdoor.

To obtain the address of the management server BazarLoader will use decentralized DNS service Emercoin to get different host names using the domain “bazar”. Domain “bazar” can be used only on DNS servers Emercoin, and because it is decentralized, it is difficult (if not making impossible) to law enforcement agencies to trace the desired host.

The hostnames used for server management:

  • forgame holdings Ltd.bazar
  • bestgame.bazar
  • thegame.bazar
  • newgame.bazar
  • portgame.bazar

As soon as the IP address of the management server is received, the bootloader will first connect to C2 and perform the check. According to experts, who tested this backdoor, this query always returns HTTP error code 404.

Second query C2, however, loads the encrypted payload XOR, which is malware – bedorom BazarBbackdoor.
After the payload is downloaded, it will Bespalova method embedded in the process C:Windowssystem32svchost.exe. Researcher for security Vitali Kremezpublished technical reportreported BleepingComputer that this is done using the methods of Process hollowing pattern and Process Doppelgänging.
As soon as Windows users are accustomed to the processes svchost.exe running in the task Manager, then another process svchost.exe unlikely to cause suspicion among most users.

The scheduled task will also be configured to execute the boot loader when the user logs on in Windows that will allow you to regularly download new versions of the backdoor and enter them in the process svchost.exe.

Later, researchers at the security Kremez and James announced that malware downloads and executes on the victim’s computer test Cobalt Strike penetration and special tools for the subsequent operation of the machine.

Cobalt Strike is a legitimate application for information security, which is promoted as a “modeling platform enemy” and is designed to perform network security assessment against simulated advanced threats, which the attacker tries to keep the network.

Often, however, attackers use hacked version of Cobalt Strike as part of their Toolkit during the propagation of threats across networks, stealing credentials and deploy malicious programs.

Introducing Cobalt Strike, it is obvious that this hidden backdoor being used to secure positions in the corporate network, to be able to implement encryption to steal data or sell network access to other cyber criminals.

The similarity between BazarBackdoor and TrickBot

BazarBackdoor is malware enterprise class. Researchers in information security believe that this backdoor will likely have been designed by the same team that developed the Trojan TrickBot: both malicious programmes are part of the same code and the same delivery methods and principles.

Danger backdoors

Any sophisticated attack, whether it’s extortion, industrial espionage, or retrieval of corporate data, the presence of this kind of access is extremely important. If a cyber criminal managed to install BazarBackdoor in the it system of the company, this may pose a serious risk, but, given the volume of emails sent using this backdoor, this is a common threat.

As we have seen, BazarBackdoor can be the entry point for a wide range of criminal tools and means. In this regard, it is imperative that the enterprise was safely protected to prevent potential damages from such threats.



WARNING! All links in the articles may lead to malicious sites or contain viruses. Follow them at your own risk. Those who purposely visit the article know what they are doing. Do not click on everything thoughtlessly.


0 0 vote
Article Rating
Notify of
Inline Feedbacks
View all comments

Do NOT follow this link or you will be banned from the site!
Would love your thoughts, please comment.x

Spelling error report

The following text will be sent to our editors: