CONTEXT:
Over the years, phishing campaigns have always been a threat to cybersecurity. Recently researchers have found a new phishing campaign which is remitting a new private backdoor. It is observed that the malicious backdoor has been developed by the developers of TrickBot. A malicious backdoor is used to compromise and gain complete administrative access to corporate systems. These advanced network attacks include enterprise-targeting ransomware, corporate reconnaissance, or data exfiltration attacks. It quietly installs in the system and ruins the ecosystem. The new phishing attack was discovered the past two weeks ago. A new malware named ‘BazarBackdoor‘, or internally by the malware developers as simply “backdoor“, is being installed that expands a network and compromises the system.
How does the Backdoor attack begin?
The attack starts with a phishing mail which uses a variety of lures including customer complaints, COVID-19 themed payroll reports, medical reports, salary report etc. Also, malicious mail contains links to documents hosted on Google Docs. The mail manipulates and convinces you to download any media file containing a backdoor hidden in it.
When sending the phishing emails, the intruders are utilizing the Sendgrid email marketing platform. Unlike common phishing attacks, this attack is embedding a lot of insight into their creatives by conforming their docking pages to resemble the lures, or themes, of the emails.
Besides, almost every alighting page acts or pretends to be a Word document, Excel spreadsheet, or PDF that cannot be accurately viewed and urges the user to click on a link to correctly view the document.
When the link is clicked, an executable file will be downloaded into the computer. The downloaded malware file uses an icon and name associated with the icon shown on the confronting page.
For example, the executable file may be named as “COVID-19 patient Tracking report’ theme will download PreviewReport.DOC.exe, while the “Customer Complaint” theme will download Preview.PDF.exe.
As Windows does not display file extensions by default, most users will see “Preview.PDF” or “PreviewReport.DOC” and open them thinking they are legitimate Word and PDF documents.
Attachments with the backdoor:
According to security researcher James, the executable file is a launcher for backdoor which connect to various DNS control server. Also, it is named as “BazaLoader”.
The downloaded executable file connects to command-line servers to check-in and downloads the backdoor payload. Once launched, the harmful backdoor is configured to harvest credentials and establish a remote shell at the backend.
The backdoor “BazarLoader” will use the Emercoin DNS resolution service. This service helps to resolve various hostnames that use the ‘Bazar’ domain. The ‘Bazar’ domain can only be appropriated on Emercoin’s DNS servers, and as it is decentralized, it makes it difficult, if not impossible, for law enforcement to seize the hostname.
The DOMAIN names used for the control servers are:
- forgame.bazar
- bestgame.bazar
- thegame.bazar
- newgame.bazar
- portgame.bazar
Once the payload is downloaded, it will be configured to be injected into the C:\Windows\system32\svchost.exe process. Security researcher Vitali Kremez, who has published a technical report, told that this is done using the Process Hollowing and Process Doppelgänging techniques.
Since Windows users have grown listless to svchost.exe processes operating in Task Manager, one more svchost process is not likely to stimulate doubt for most users.
Windows will launch a scheduled manager which is configured to propel the loader when a user logs into the system, which will allow new versions of the backdoor to be routinely downloaded and injected into the svchost.exe process.
How to mitigate such attacks?
Prevention must be the top priority. phishing emails are very well interpreted which leads to believe in the crook content.
Just imagine an existing scenario of COVID-19, people’s salary are deduced by 40-60%. One day you received an email regarding the deduction of your own salary. The email content consists of a.DOC file which is stated to have mentioned the revised salary. Indeed, you will be prompt to open the file. There you go..your system might have been compromised till now.
Therefore, It’s very important to verify the source of the email.
Apart from this follow the below steps to prevent such Attacks:
- Update your system to its latest version.
- Besides, disable javascript for your browser.
- Install WAF(web application firewall).
- Update your antivirus databases.
- Also, Backdoor uploads user data to the malicious server. Therefore, have a look at your daily data usage.
