Cybercrime is spreading the BazarBackdoor trojan via Sendgrid. The malware is sent through a phishing campaign by TrickBot authors with different lures
A new trojan is on the wild: it’s dubbed BazarBackdoor and it’s spread via phishing campaign by the TrickBot cybercrime authors. Cyber security researchers believe the malware is delivered by various lures in emails sent to employees via the Sendgrid marketing platform. The messages are crafted to be COVID-19 themed payrolls, customer complaints, or employee termination lists, which will be hosted in Google docs. According to Bleeping Computer, these emails contain links to landing pages where the recipient can view the associated report. These landing pages are stylized according to the theme to make them look more convincing. They also pretend to have trouble showing the report and prompt the user to click a link. It downloads an executable that uses the same icon as the associated report from the landing page: BazaLoader, which is the first stage in the attack.
The trojan, moreover, after a period of time has been seen downloading and installing Cobalt Strike in to the infected computer
According to the cyber security experts, BazaLoader will resolve the C2 servers’ IP addresses using the @emercoin_press DNS resolution service for the bazar domain. This is where the malware gets its name. Once the hostnames are resolved, it will make two connections. One is a ‘check-in’ that returns a 404 error. The second request will download the BazarBackdoor payload and inject it into the svchost.exe process. Moreover, after a period of time, the trojan has been seen downloading and installing Cobalt Strike onto the infected computer. From there, the cybercrime attacker will spread laterally, steal files, and possibly deploy ransomware.