In mid-March, the number of brute force attacks on RDP connections skyrocketed. The aim of these attacks was to take advantage of the sudden increase in remote workers and take over their corporate computers. Exploiting the current COVID-19 pandemic in this way is just one of the many techniques that cybercriminals have for gaining access to companies’ IT systems.

BazarBackdoor: The TrickBot operators’ new malware

Something that made the brute-force attacks on RDP connections easier was a new module of the notorious Trojan, TrickBot. It now seems that the TrickBot developers have a new tactic. Cybersecurity researchers have discovered a new phishing campaign that delivers a stealthy backdoor called BazarBackdoor, which can be used to compromise and gain full access to corporate networks.

As is the case with 91% of cyberattacks, this one starts with a phishing email. A range of subjects are used to personalize the emails: Customer complaints, coronavirus-themed payroll reports, or employee termination lists. All these emails contain links to documents hosted on Google Docs. To send the malicious emails, the cybercriminals use the marketing platform Sendgrid.

This campaign uses spear phishing, which means that the perpetrators have made an effort to ensure that the websites sent in the emails seem legitimate and correspond to the emails subjects.

Malicious documents

The next step in the BazarBackdoor campaign is to get the victim to download the document. The websites pretend to be a Word, Excel, or PDF that cannot be viewed correctly. The user is prompted to download the document to be able to read it.

When the victim clicks on the link, an executable will be downloaded that uses an icon and a name associated with the kind of document that appears on the website. For example, “COVID-19 ACH Payroll Report” will download a document called PreviewReport.DOC.exe. Since Windows does not show file extensions by default, most users will simply see PreviewReport.DOC and will open the file, believing it to be a legitimate document.

The executable hidden in this malicious document is the loader for BazarBackdoor. When the user launches the malicious document, the loader stays hidden for a short time before connecting to a C&C server to download BazarBackdoor.

Similarities between BazarBackdoor and TrickBot

BazarBackdoor is enterprise-grade malware. Cybersecurity researchers believe that this backdoor is highly likely to have been developed by the same group that developed the Trojan TrickBot; both pieces of malware share parts of the same code, along with delivery and operation methods.

The dangers of backdoors

In any advanced attack, be it ransomware, industrial espionage, or corporate data exfiltration, having this kind of access is essential. If a cybercriminal manages to install BazarBackdoor on a company’s IT system, it could pose a serious danger, and, given the volume of emails being sent out with this backdoor, this is a widespread threat.

Don’t let BazarBackdoor threaten your company

As we’ve seen, BazarBackdoor can be the point of entry for a wide range of cybercrime techniques. Because of this, it is vital that companies protect themselves to prevent threats of this kind from causing any damage.

The first step in protecting against many of the leading cyberthreats is to monitor the emails that you receive. In this step, employees play an essential role: They have to be aware of the importance of not opening suspicious emails, not clicking on links in those emails, and, above all, not downloading attachments from unknown senders. In the case of BazarBackdoor, employees should be cautious of emails coming from sendgrid.net.

Another essential measure are advanced cybersecurity solutions. In order to control all suspicious activity, it is vital to be able to monitor all system activity. Panda Adaptive Defense monitors everything that is happening on all endpoints on the system and stops any suspicious activity. What’s more, if an unknown process tries to run, it is stopped, analyzed, and can only run if it is classified as legitimate.

In these uncertain times, the effects of a threat as serious as BazarBackdoor can multiply and wreak havoc in an organization. Protect yourself against this malware and any other advanced cyberthreat with Panda Adaptive Defense.