Threat Alert:

NEW TRICKBOT VARIANTS

ORANGE_THREAT_ALERT_CR_ICONS-54

Threat Overview

cr-icon-threat-type
Threat Type
MALWARE
Target Industries
TARGET INDUSTRIES
PROFESSIONAL SERVICES, HEALTHCARE, MANUFACTURING, IT, LOGISTICS & TRAVEL
cr-icon-attack-goal
Attack Goal
COLLECT DATA & DEPLOY MALWARE
cr-icon-impacted-geo
Impacted GEO
US & EU

What's Happening?

Since April 2020, the Cybereason Nocturnus Team has been investigating the emergence of the Bazar malware, a loader and backdoor used to collect data about the infected machine and to deploy additional malware.

The researchers are now observing multiple TrickBot gang attack operations featuring more new variants of the Bazar Loader for reconnaissance activity and deploying a CobaltStrike payload (IOCs here)

In research released in July 2020, the researchers showed how the Bazar malware is sent via phishing emails that take advantage of the ongoing coronavirus pandemic, employee payroll reports, and customer complaints.

The Bazar malware appears to have strong ties to Trickbot campaigns resembling those seen in the Trickbot-Anchor collaboration from December 2019.

Read The Full Research

KEY OBSERVATIONS & TTPS


  • A New Malware Family: The Cybereason Nocturnus team is tracking a new Bazar loader and backdoor that first emerged in April 2020 and has evolved continuously since. Bazar can be used to deploy additional malware, ransomware, and ultimately steal sensitive data from organizations.
  • With Loader and Backdoor Capabilities: Bazar leverages the Twilio SendGrid email platform and signed loader files to evade traditional security software in conjunction with a fileless backdoor to establish persistence.
  • Evasive, Obfuscated Fileless Malware: This stealthy loader evades detection by abusing the trust of certificate authorities, much like previous Trickbot loaders. This loader, however, uses EmerDNS (.bazar) domains for command and control and is heavily obfuscated. It also uses anti-analysis techniques to thwart automated and manual analysis, and loads the encrypted backdoor solely in memory.
  • A Comeback After Two Months: After a two month hiatus, a new variant emerged in mid-June that improved on its stealth capabilities. This is similar to the modus operandi of other cybercriminal organizations in general and Trickbot in particular.
  • Trickbot Ties: The loader exhibits behaviors that tie it to previous Trickbot campaigns. Though several changes exist between the Anchor and Bazar malware, including differences in clientID generation, they share the same top-level Bazar domain C2. Unlike Trickbot and Anchor, the Bazar loader and backdoor decouple campaign and bot information in bot callbacks. Given these ties and how quickly Bazar is evolving, this may signal the attackers next generation of malware attacks.
  • Read the full length research here.

Remediation Steps

cr-icon-remediate-disable

Consider social engineering awareness and training, which are key in preventing such attacks.

Asset 1077

Periodically proactively hunt in your environment for potential attacks on sensitive assets.

antivirus-01
Prevented & Detected by the Cybereason Defense Platform

CYBEREASON CUSTOMERS

We highly recommend every customer enable the following features:

  • The Cybereason Defense Platform was able to detect the preliminary stages of the attack and analyze and prevent the execution of the infection chain.
  • If you do not have Cybereason NGAV activated, consider doing so to prevent against threats like these.
  • For Cybereason MDR customers, the Cybereason team will monitor and triage as well as assist in the mitigation of potential infections.

Read the Full Research

SUFFERED A BREACH?
TALK TO A SPECIALIST