June 2, 2020 By David Bisson 2 min read

Security researchers observed the Trickbot operators using a new backdoor called “BazarBackdoor” to gain full access to targeted networks.

Panda Security explained that Trickbot’s attempts to deliver BazarBackdoor began with a spear phishing campaign. That operation’s attack emails leveraged employee termination notices, customer complaints and other themes to trick recipients into clicking on a link for a file hosted on Google Docs. The links redirected victims to a website that informed the recipient that they needed to download the file directly in order to view it correctly.

When downloaded, the documents ran hidden executable code to call a loader. This asset remained quiet for a time before connecting with a command-and-control (C&C) server for the purpose of downloading BazarBackdoor. This malware shared parts of the same code along with delivery and operation methods employed by Trickbot, similarities that led Panda Security to speculate that the same actors were responsible for developing both threats.

Trickbot’s Activity Involving Other Backdoors

BazarBackdoor didn’t mark the first time that Trickbot has leveraged a backdoor in its attack efforts. Back in April 2019, Cybereason detected an attack campaign in which Emotet loaded Trickbot as a means to deploy Ryuk ransomware. In that attack, Trickbot used its reverse shell module, “dll.dll,” to perform reconnaissance so that it could eventually launch the Empire backdoor. In January 2020, Sentinel Labs observed Trickbot using “PowerTrick,” a backdoor that helped the malware conduct reconnaissance of and remain persistent on the networks of targeted financial institutions.

Defend Against BazarBackdoor

Security professionals can help defend their organizations against phishing attacks carrying BazarBackdoor by making sure that there’s an incident response (IR) plan in place that provides guidance on how to remediate a successful phishing attack. Having a plan is not enough; teams should also regularly test this strategy to ensure the plan works ahead of an attack. Additionally, infosec personnel should leverage ongoing phishing simulations to strengthen their employees’ defenses against email attacks.

More from

Exploring the 2024 Worldwide Managed Detection and Response Vendor Assessment

3 min read - Research firm IDC recently released its 2024 Worldwide Managed Detection and Response Vendor Assessment, which both highlights leaders in the market and examines the evolution of MDR as a critical component of IT security infrastructure. Here are the key takeaways. The current state of MDR According to the assessment, “the MDR market has evolved extensively over the past couple of years. This should be seen as a positive movement as MDR providers have had to evolve to meet the growing…

Regulatory harmonization in OT-critical infrastructure faces hurdles

3 min read - In an effort to enhance cyber resilience across critical infrastructure, the Office of the National Cyber Director (ONCD) has recently released a summary of feedback from its 2023 Cybersecurity Regulatory Harmonization Request for Information (RFI). The responses reveal major concerns from critical infrastructure industries related to operational technology (OT), such as energy, transport and manufacturing. Their worries include the current fragmented regulatory landscape and difficulty adapting to new cyber regulations. The frustration appears to be unanimous. Meanwhile, the magnitude of…

Generative AI security requires a solid framework

4 min read - How many companies intentionally refuse to use AI to get their work done faster and more efficiently? Probably none: the advantages of AI are too great to deny.The benefits AI models offer to organizations are undeniable, especially for optimizing critical operations and outputs. However, generative AI also comes with risk. According to the IBM Institute for Business Value, 96% of executives say adopting generative AI makes a security breach likely in their organization within the next three years.CISA Director Jen…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today