The TrickBot botnet is being utilized to perform a new phishing campaign that distributes the Buer loader and Bazar backdoor malware. Research experts at Area 1 Security identified the campaign that has been going starting early October.
The Bazar backdoor is employed to get persistent access to the systems of victims. The Buer loader is utilized to install more malicious payloads. Formerly, Buer was employed to download ransomware payloads like Ryuk and tools like CobaltStrike.
Area 1 Security researchers found two email baits in this campaign. The first is a bogus announcement regarding the termination of job. The other is a phony buyer compliant. The work termination message seems to have been from an individual with authority in the main office of the organization being attacked and claims that the person is dismissed from work. Additional details on the end of the contract and payout are presented in a file that looks like published on Google Docs.
When the hyperlink is clicked on, the user will be redirected to a Google Doc decoy page and is instructed to click a different hyperlink in case they aren’t taken to the page. That link redirects them to a web address where a file download is started. The user is going to be offered a security caution telling them if they wish to get the file. Doing so commences a PE32+ executable on Windows systems and sets off a series of activities that installs the Buer loader or the Bazar backdoor. This phishing campaign may also use Constant Contact hyperlinks.
It is currently prevalent to utilize cloud services for storing malicious files. It is a technique utilized to get around security tools that scan for harmful code in the attached documents. By using legit cloud services, a number of security applications will be unable to identify the hyperlink as malicious and will transmit the email messages to the inboxes of recipients. In case the hyperlinks in the email messages are deemed as malicious by URL scanning security tools, the attackers could easily switch to another URL.
Last October Microsoft gave an announcement about a takedown operation that saw it assume control of the infrastructure employed by the TrickBot gang. This big operation was merely briefly helpful at stopping the botnet infrastructure. It was stated by Microsoft that the takedown operation was probably non-permanent, as the TrickBot operators would possibly renew their operation on varied infrastructure.
Area 1 Security analysts observed that this campaign started again two days after taking down the botnet and, now, the TrickBot group is utilizing sinkhole-resistant EmerDNS TLDs, therefore additional takedown attempts are much harder.