The TrickBot botnet is being used to conduct a new phishing campaign that delivers the Buer loader and Bazar backdoor malware. Researchers at Area 1 Security detected the campaign that has been operating since early October.
The Bazar backdoor is utilized to obtain persistent access to the networks of victims. The Buer loader is employed to deliver further malicious payloads. In the past, Buer was utilized to send ransomware payloads for example Ryuk and tools such as CobaltStrike.
Area 1 Security researchers discovered two email teasers in this phishing campaign. The first is a bogus notice concerning termination of work. The second is a phony client compliant. The job termination email message appears to have been given by a person with authority in the head office of the firm being targeted and says that the individual has lost employment. More information on the dismissal and payout is given in a document that seems hosted on Google Docs.
If the URL is visited, the user will be brought to a Google Doc decoy preview page and is told to click one more url when they are not redirected. That link brings them to a page where a file download initiates. The user is going to be shown a security notice asking if they would like to open the file. Doing so starts a PE32+ executable on Windows systems and activates a sequence of events that downloads either the Buer loader or the Bazar backdoor. This campaign also uses Constant Contact URLs.
It is now common to use cloud solutions for hosting malicious documents. It is a strategy employed to circumvent security tools that scan for malicious code in the attached files. By linking to reputable cloud services, certain security applications cannot detect the link as malicious and will send emails to the inboxes of users. If the links in the messages are identified as malicious by URL scanning security applications, the attackers can just switch to other URLs.
Last month Microsoft made an announcement of a takedown operation that saw it seize control of the infrastructure utilized by the TrickBot operators. This key operation was just temporarily efficient at interfering the botnet infrastructure. It was mentioned by Microsoft that the takedown operation was probably short-lived, as the TrickBot operators would possibly restore their operation on various infrastructure.
Area 1 Security experts took note that this phishing campaign restarted two days after the takedown of the botnet and, at this time, the TrickBot operator is employing sinkhole-resistant EmerDNS TLDs, so further takedown attempts are more difficult.