Phishing Campaign Utilizes Job Termination as Lure to Deliver Bazar and Buer Malware

The TrickBot botnet is being utilized to perform a new phishing campaign that distributes the Buer loader and Bazar backdoor malware. Research experts at Area 1 Security identified the campaign that has been going starting early October.

The Bazar backdoor is employed to get persistent access to the systems of victims. The Buer loader is utilized to install more malicious payloads. Formerly, Buer was employed to download ransomware payloads like Ryuk and tools like CobaltStrike.

Area 1 Security researchers found two email baits in this campaign. The first is a bogus announcement regarding the termination of job. The other is a phony buyer compliant. The work termination message seems to have been from an individual with authority in the main office of the organization being attacked and claims that the person is dismissed from work. Additional details on the end of the contract and payout are presented in a file that looks like published on Google Docs.

When the hyperlink is clicked on, the user will be redirected to a Google Doc decoy page and is instructed to click a different hyperlink in case they aren’t taken to the page. That link redirects them to a web address where a file download is started. The user is going to be offered a security caution telling them if they wish to get the file. Doing so commences a PE32+ executable on Windows systems and sets off a series of activities that installs the Buer loader or the Bazar backdoor. This phishing campaign may also use Constant Contact hyperlinks.

It is currently prevalent to utilize cloud services for storing malicious files. It is a technique utilized to get around security tools that scan for harmful code in the attached documents. By using legit cloud services, a number of security applications will be unable to identify the hyperlink as malicious and will transmit the email messages to the inboxes of recipients. In case the hyperlinks in the email messages are deemed as malicious by URL scanning security tools, the attackers could easily switch to another URL.

Last October Microsoft gave an announcement about a takedown operation that saw it assume control of the infrastructure employed by the TrickBot gang. This big operation was merely briefly helpful at stopping the botnet infrastructure. It was stated by Microsoft that the takedown operation was probably non-permanent, as the TrickBot operators would possibly renew their operation on varied infrastructure.

Area 1 Security analysts observed that this campaign started again two days after taking down the botnet and, now, the TrickBot group is utilizing sinkhole-resistant EmerDNS TLDs, therefore additional takedown attempts are much harder.

About the Author

Elizabeth Hernandez
Elizabeth Hernandez is the editor of HIPAA News. Elizabeth is an experienced journalist who has worked in the healthcare sector for several years. Her expertise is not limited to general healthcare reporting but extends to specialized areas of healthcare compliance and HIPAA compliance. Elizabeth's knowledge in these areas has made her a reliable source for information on the complexities of healthcare regulations. Elizabeth's contribution to the field extends to helping readers understand the importance of patient privacy and secure handling of health information. Elizabeth holds a postgraduate degree in journalism. You can follow Elizabeth on twitter at