Saturday, February 27, 2021
  • Setup menu at Appearance » Menus and assign menu to Top Bar Navigation
Advertisement
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
No Result
View All Result
Home Internet Security

Bazar backdoor linked to Trickbot banking Trojan campaigns

July 16, 2020
in Internet Security
Bazar backdoor linked to Trickbot banking Trojan campaigns
586
SHARES
3.3k
VIEWS
Share on FacebookShare on Twitter

A new malware family has been linked to the threat actors behind Trickbot, a prolific information-stealing Trojan. 

On Thursday, the Cybereason Nocturnus research team said that since April this year, the backdoor has been used in attacks against targets across the US and Europe. In particular, organizations in the professional, healthcare, IT, manufacturing, logistics, and travel industries are in the spotlight. 

You might also like

Berlin resident jailed for threatening to bomb NHS hospital unless Bitcoin ransom was paid

Chrome will soon try HTTPS first when you type an incomplete URL

Go malware is now common, having been adopted by both APTs and e-crime groups

In a blog post, the cybersecurity researchers document how the first variants of the malware appeared in the wild during April, but then there was a hiatus of almost two months with a new sample emerging during June — together with improved code and fixes. 

Trickbot is a banking and information-stealing Trojan that has traditionally been used against financial services. The malware has evolved over the years to become a data stealer and botnet facilitator with a modular infrastructure that makes it easier for operators to tweak code and improve its offensive capabilities over time. 

In January, Trickbot operators debuted PowerTrick, a backdoor reserved for high-value targets. Now, the introduction of the Bazar malware — combining loader and backdoor — is another tool weaponized in Trickbot campaigns. 

Phishing campaigns relating to the COVID-19 pandemic, customer complaints, and employee payroll are being used to spread the malware. While most Trickbot campaigns use malicious attachments, Bazar is spread via phishing emails sent through the Sendgrid email marketing platform which link to decoy landing pages for document previews hosted in Google Docs.

See also: Smartwatch tracker for the vulnerable can be hacked to send medication alerts

In order to lure victims into downloading malicious documents, the page claims that previews are not available. 

Once the documents have been downloaded and executed, the loader element carves out a foothold into an infected system. Similar code is in play between the Bazar and standard Trickbot loaders, including the same WinAPIs, custom RC4 implementation, and heavy obfuscation. The loader will attempt to inject itself into either svchost, explorer, or cmd to make sure it autoruns “at any cost,” according to Cybereason, and a task is also scheduled to load the malware at startup. 

The encrypted Bazar backdoor is loaded directly into memory to avoid detection. Bazar, of which three versions in various stages of development have been detected, collects and steals system data, forges a link with the command-and-control (C2), and is able to perform a variety of functions. 

As noted by Fox IT researchers, these include generating a unique ID for each infected machine, downloading files and using either hollowing process injection or Doppelgänging process injection, executing DLLs, terminating processes, and self-destruction. 

CNET: Google targets stalkerware in updated ad policy

Cybereason says the combination of loader and backdoor can be used to download and deploy additional malware payloads, such as ransomware, as well as exfiltrate information for transfer to the attacker’s C2.

The domains being used to facilitate the Bazar loader and backdoor are blockchain-based, including EmerDNS. As these domains are decentralized, they may be more resistant to takedown requests, a concept Cybereason says has made blockchain DNS domains “a recent trend” among threat actors. 

TechRepublic: Software-defined perimeters may be the solution to remote work security concerns

This is the same tactic used in Trickbot Anchor campaigns, as documented in December 2019. Trickbot and Anchor also share the same top-level Bazar domain C2. 

“Our research shows that the threat actor took time to re-examine and improve their code, making the malware stealthier,” the team says. “Although this malware is still in development stages, Cybereason estimates that its latest improvements and resurfacing can indicate the rise of a new formidable threat once fully ready for production.”

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0


Credit: Zdnet

Previous Post

Machine Learning and Exception Management – A Logistics Tech Game-Changer

Next Post

How Does Machine Learning Apply To IoT Data

Related Posts

Berlin resident jailed for threatening to bomb NHS hospital unless Bitcoin ransom was paid
Internet Security

Berlin resident jailed for threatening to bomb NHS hospital unless Bitcoin ransom was paid

February 27, 2021
Chrome will soon try HTTPS first when you type an incomplete URL
Internet Security

Chrome will soon try HTTPS first when you type an incomplete URL

February 27, 2021
Go malware is now common, having been adopted by both APTs and e-crime groups
Internet Security

Go malware is now common, having been adopted by both APTs and e-crime groups

February 27, 2021
Why your diversity and inclusion efforts should include neurodiverse workers
Internet Security

Why your diversity and inclusion efforts should include neurodiverse workers

February 26, 2021
Attorney-General urged to produce facts on US law enforcement access to COVIDSafe
Internet Security

Attorney-General urged to produce facts on US law enforcement access to COVIDSafe

February 26, 2021
Next Post
How Does Machine Learning Apply To IoT Data

How Does Machine Learning Apply To IoT Data

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

January 6, 2019
Microsoft, Google Use Artificial Intelligence to Fight Hackers

Microsoft, Google Use Artificial Intelligence to Fight Hackers

January 6, 2019

Categories

  • Artificial Intelligence
  • Big Data
  • Blockchain
  • Crypto News
  • Data Science
  • Digital Marketing
  • Internet Privacy
  • Internet Security
  • Learn to Code
  • Machine Learning
  • Marketing Technology
  • Neural Networks
  • Technology Companies

Don't miss it

Increasing Adoption of Informatics will Promote Growth of Data Analytics Outsourcing Market
Data Science

Increasing Adoption of Informatics will Promote Growth of Data Analytics Outsourcing Market

February 27, 2021
MindMed Closes Acquisition of HealthMode, a Leading Machine Learning Digital Medicine Company
Machine Learning

MindMed Closes Acquisition of HealthMode, a Leading Machine Learning Digital Medicine Company

February 27, 2021
How AI Can Be Used in Agriculture Sector for Higher Productivity? | by ANOLYTICS
Neural Networks

How AI Can Be Used in Agriculture Sector for Higher Productivity? | by ANOLYTICS

February 27, 2021
Berlin resident jailed for threatening to bomb NHS hospital unless Bitcoin ransom was paid
Internet Security

Berlin resident jailed for threatening to bomb NHS hospital unless Bitcoin ransom was paid

February 27, 2021
The Ethereum Virtual Machine (EVM)
Data Science

The Ethereum Virtual Machine (EVM)

February 27, 2021
Healthcare leaders debunk 3 myths about machine learning
Machine Learning

Providence exec explains the differences, their healthcare applications

February 27, 2021
NikolaNews

NikolaNews.com is an online News Portal which aims to share news about blockchain, AI, Big Data, and Data Privacy and more!

What’s New Here?

  • Increasing Adoption of Informatics will Promote Growth of Data Analytics Outsourcing Market February 27, 2021
  • MindMed Closes Acquisition of HealthMode, a Leading Machine Learning Digital Medicine Company February 27, 2021
  • How AI Can Be Used in Agriculture Sector for Higher Productivity? | by ANOLYTICS February 27, 2021
  • Berlin resident jailed for threatening to bomb NHS hospital unless Bitcoin ransom was paid February 27, 2021

Subscribe to get more!

© 2019 NikolaNews.com - Global Tech Updates

No Result
View All Result
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News

© 2019 NikolaNews.com - Global Tech Updates