Just recently, the number of hacking attacks on remote connections skyrocketed. The apparent target of those attacks is the remote employees to take over their corporate machines. The coordinated attacks on RDP connections were caused by an augmented version of the ill-famed Trojan, TrickBot.
It would appear that these TrickBot developers have found a new way of lashing out their malicious activities. Cybersecurity researchers unrooted a new phishing campaign that delivers a somewhat stealthy payload referred to as BazarBackdoor, granting hackers the ability to gain full access to corporate networks and IT infrastructures.
Almost 90% of cyber attacks usually start with a phishing email. A wide range of attention-grabbing subjects is used to personalize the emails – from client complaints, coronavirus-themed payroll reports, or worker termination lists. These are typically laced with malicious links that direct users to a certain hosting center where the malware payload is waiting to be set free.
This type of spear-phishing attack suggests that the threat actors have wasted no effort to ensure that the websites sent in the emails appear as legitimate, with as little mistakes as possible, and corresponds to the contents of the subject of the email.
Trickbot BazarBackdoor’s next order in its campaign is to induce the victim to transfer the document.
The websites pretend to be a Word file, Excel sheet, or PDF file that can’t be opened or read correctly by the user’s machine. The user is then obliged to download that laced document to get their machine to scan and open it.
Once the victim clicks the link, an executable file will be downloaded and appear authentic, tricking the user and the machine into its legitimacy. Since Windows doesn’t show file extensions by default, most users will merely see a common word, excel, or PDF document. The downloaded form is a disguised loader for the malware. Once saved on the remote user’s machine, it automatically stays for a few minutes while working behind the background – silently connects on the C&C servers and releases the malware.
BazarBackdoor is a sophisticated, enterprise-grade malware capable of taking over multiple user machines and corporate network infrastructures. Cybersecurity researchers believe that this backdoor worker might have been developed by the same hacker group that created the Trojan TrickBot; each item of malware share parts of identical code, together with delivery and operation methods.
Whether it’s ransomware, industrial takeover, or company information exfiltration, having this sort of access is essential in any spear-phishing attack. BazarBackdoor can be the catalyst for an even more sinister cyber-attack. With this realization, companies must defend themselves security-wise in order to stop threats of this sort from inflicting any damage in the corporate sense.