Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Trickbot resurgence with fileless BazarBackdoor

    • Updated:
    • 18 Feb 2021
    • Product/Version:
    • Apex One 2019
    • Deep Discovery Email Inspector All
    • Deep Discovery Inspector All
    • Deep Security 12.0
    • OfficeScan XG
    • ScanMail for Exchange 14.0
    • Worry-Free Business Security Standard 10.0
    • Platform:
Summary

Trickbot was first discovered in August, 2016 as a banking trojan which infected computers to steal email passwords and address books to spread malicious emails from compromised email accounts. It has developed new capabilities and techniques to trick users into executing its disguised file, and incorporated new modules in each campaign.

The same group behind Trickbot is believed to develop a new backdoor module called BazarBackdoor due to spam origin, method of operation, and code overlap analysis. Both utilize the same crypter and email chains as previous Trickbot campaigns, as well as the Emercoin DNS resolution service for C&C server communication. The disguised file here is BazarBackdoor, named after its .bazar C&C DNS domains. This is a lightweight malware aimed to evade detection. Once executed, it connects to C&C and downloads its backdoor payload to memory. The backdoor’s goal is to execute binaries, scripts, and modules, kill processes and remove itself from the compromised machine.

 
As of February 2021, researches about TrickBot's stealthy BazarBackdoor malware have been rewritten in Nim programming language to evade detection by security software.
 

Behaviour

  • Phishing mail w/ link (customer complaint, COVID-19 payroll report, employee termination list)
  • Connects to C&C domains {word}game.bazar
  • Perform fileless operation: download latest backdoor version and load into memory
  • Backdoor downloads and executes the Cobalt Strike penetration testing and post-exploitation toolkit on the compromised machine
  • Remains undetected by user and gains persistence by creating a Scheduled Task, Run Registry, or a Startup entry

Capabilities

  • Information theft
  • Stealth and fileless operation
  • Backdoor commands
  • Network compromise via Cobalt Strike

Impact

  • Compromise system security - with backdoor capabilities that can execute malicious commands
  • Violation of user privacy - gathers user credentials and steals user information

Additional Threat Reference Information

Infection Chain

Sample Spam (Customer Complaint Spam)

MITRE ATT&CK Matrix

BEHAVIORTACTICTECHNIQUE
Arrives as a customer complaint, employee termination lists, or COVID-19-themed payroll reports spam mailInitial AccessT1193 Spearphishing Attachment
Tricks user to open an executable file disguise as PDF or Word documentExecutionT1204 User Execution
Process Doppelganging into svchost.exeDefense EvasionT1186 Process Doppelganging
Creates scheduled task of the loaderPersistence, Privilege EscalationT1053 Scheduled Task
Creates an autorun value in registry or Startup shortcutPersistenceT1060 Registry Run Keys / Startup Folder
Potential to control the compromised machine or send gathered information to C&C server of attackerExfiltrationT1041 Exfiltration Over Command and Control Channel
Details
Public

Available Solutions

Solution ModulesSolution AvailablePattern BranchRelease DateDetection/Policy/Rules
Email ProtectionYesAS Pattern 5398May 5. 2020-
URL ProtectionYesIn the Cloud--
Advanced Threat Scan Engine (ATSE)Yes15.841.00April  28, 2020-
Predictive Learning (TrendX)YesIn the Cloud-Troj.Win32.TRX.XXPE50FFF035
File detection (VSAPI)YesENT OPR 15.841.00April  28, 2020Trojan.Win32.TRICKBOT.TIGOCBAINS
Trojan.Win64.TRICKBOT.CFI
Trojan.Win64.TRICKBOT.CFJ
Trojan.Win64.TRICKBOT.CFK
Trojan.Win64.TRICKBOT.CFL
Trojan.Win64.TRICKBOT.CFM
TrojanSpy.Win32.TRICKBOT.THAOFBO
YesSmart Scan 16.520.00February  5, 2021Trojan.Win64.BAZALOADER.FAIO (NIM Compiled BazarBackdoor)
Network PatternYesNCIP 1.13425.00
NCCP 1.12857.00
August 29, 2018Trickbot DDI rule 2413
Behavioral Monitoring (AEGIS)----
Premium
Internal
Partner
Rating:
Category:
Remove a Malware / Virus
Solution Id:
000283377
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.