Malware analysis

BazarBackdoor malware: What it is, how it works and how to prevent it | Malware spotlight

Introduction to BazarBackdoor

BazarBackdoor is a new malware with the ability to install various types of malicious programs on the infected computers. It is believed to be created by the developers of the TrickBot Trojan, a banking Trojan infecting Windows machines. This is because BazarBackdoor exhibits code and other similarities with TrickBot Trojan.

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.

Start Learning

The operation of BazarBackdoor

BazarBackdoor spreads itself through phishing messages purporting to be from legitimate senders. For example, the messages may include COVID-19-related payroll reports and lists of terminated employees. The potential victim needs to click on a link to documents that appear to be stored on Google Docs. After clicking on that link, he or she will be redirected to customized landing pages appearing to be PDF, Word or Excel documents.

The landing pages ask the potential victim to click on a link to view the attachments. After clicking on the link, an executable file will be downloaded that relates to the name of the file appearing on the landing page. For instance, a landing page regarding COVID-19 reports will trigger the download of the file “PreviewReport.Doc.exe”. Since extensions of files stored on Windows computers are usually not displayed by default, most Windows users will see the stored file as “PreviewReport.Doc” instead of “PreviewReport.Doc.exe”. The executable file, also known as BazaLoader, is a loader of a backdoor.

If the victim opens BazaLoader, it will be installed on the infected computer and remain inactive for a short time. Next, it will connect to a command-and-control server with the aim to download a backdoor. When the backdoor is installed, it will download and launch Cobalt Strike, a legitimate information security application. Fraudsters often use cracked versions of Cobalt Strike to spread throughout a network, deploy malware and steal credentials.

Defending against BazarBackdoor

BazarBackdoor infections can be avoided by using a multi-layered approach including, but not limited to, the following five measures: enhancing the information security awareness of staff members; making it difficult for attackers to send phishing messages to staff members; establishing procedures for reporting suspicious messages; installing anti-malware; and implementing comprehensive incident-response policies. 

Each of those five measures will be examined in more detail below.

1. Enhancing the information security awareness of staff members

Like other malware spreading through phishing, BazarBackdoor relies on the lack of information security skills of the employees or contractors working at the targeted organization. 

Malware creators use various techniques to create phishing messages that look authentic and trustable. BazarBackdoor is not an exception and the phishing emails used for spreading it are likely to mislead many internet users. For example, one of the phishing messages used by BazarBackdoor reads as follows:

“Good morning

This is corporate lawyer from Bleeping Computer. I tried to reach you in office, but you are not available. When i can call you again? We will debit your account because of company customer complaint on you.

Here is a copy of Customer Complaint in Corporate Google Documents:

[Link apparently linking to a file uploaded on Google Docs]”

By raising the information security awareness of their staff, organizations will ensure that phishing messages like this can be easily identified and disregarded. This can be done by, for instance, providing staff members with a set of criteria indicating that a message is likely to be a phishing message. Three exemplary criteria for this are:

1. The message includes spelling and grammar mistakes
2. The message includes a threat that pressures the recipient to open an attachment or click on a link
3. The message contains an impersonal greeting (e.g., “Dear Sir or Madam”, “Hello”) without referring to a particular person

The aforementioned phishing message meets each of those criteria. First, it includes numerous spelling and grammar mistakes. Second, it threatens that the recipient’s account will be charged, thus incentivizing him or her to click on the link in order to find out whether the complaint is legitimate. Third, it contains an impersonal greeting, which indicates that the phishing message is likely simultaneously sent to other people.

2. Making it difficult for attackers to send phishing messages to staff members

For a phishing attack to work, fraudsters need to find the contact details (usually email addresses) of the targeted organization. Many organizations make the email addresses of all their officers publicly available, thus facilitating phishing campaigns. It is recommended to only make one email address publicly available for the organization and appoint an information security officer who will scrutinize the correspondence sent to that email address in order to detect phishing messages.

3. Establishing procedures for reporting suspicious messages

Even if an organization takes comprehensive measures to prevent phishing messages from reaching its staff, such messages may still go through the defensive line. This can be done, for example, by using spearphishing techniques. The recipient of such messages can have real doubts as to the authenticity of those messages. 

By establishing procedures for reporting suspicious messages, organizations will ensure that staff members doubting the authenticity of a message will be able to report it to the information security department and open it only if that department consents to this.

4. Installing anti-malware software

Two types of anti-malware software can be used to protect against BazarBackdoor. The first type is anti-phishing software: software that aims to identify phishing content and block it, usually by showing a warning to the user. The second type is general anti-malware software, which aims to identify and neutralize suspicious processes such as malware operations triggered by clicking on malicious attachments.

5. Implementing comprehensive incident-response policies

“To err is human,” people say. The same saying applies even today in the field of information security. Despite the best preventive measures, organizations may still become infected by BazarBackdoor and other malware. 

Therefore, organizations need to establish detailed incident-response policies aiming to provide guidelines on (i) how to respond to cyber incidents, (ii) how to mitigate the damages from such incidents and (iii) how to recover the normal functioning of the infected computers after the incidents.

Conclusion

BazarBackdoor should not be underestimated. It has the ability to completely take over a computer network, steal sensitive data and install all types of malicious malware on the infected computers. The successful prevention of BazarBackdoor infections requires the implementation of a plethora of technical and organizational measures.

 

Sources

1. BazarBackdoor: TrickBot gang’s new stealthy network-hacking malware, BleepingComputer
2. Trojan.TrickBot, Malwarebytes Labs
3. Group Behind TrickBot Spreads Fileless BazarBackdoor, Trend Micro