Phishing Campaign Tied to Trickbot GangArea 1 Security: Emails Deliver Bazar Backdoor and Buer Loader
Researchers at Area 1 Security say a recently uncovered phishing campaign using a message saying that the recipient has been fired from their job is attempting to plant two malware strains - Bazar and Buer - using the Trickbot botnet.
The Bazar backdoor helps attackers maintain a persistent presence. The Buer loader can deliver other malicious code, such as ransomware, to victims' devices and networks, according to the report. The loader has previously been used to deliver Ryuk ransomware to victims, according to the security firm Sophos (see: Ryuk Ransomware Delivered Using Malware-as-a-Service Tool).
These phishing emails, which first appeared in October, have continued despite Microsoft, the U.S. government and others taking the extraordinary step of disrupting Trickbot's infrastructure last month (see: Microsoft Continues Trickbot Crackdown).
After Microsoft announced the Trickbot "takedown" in October, other security researchers, such as CrowdStrike, warned that the malware's operators would likely regroup and rebuild the botnet's infrastructure. The Area 1 report notes long-term disruptions of these types of malware operations are difficult.
"Area 1 Security continued to see the Trickbot phishing for several weeks after Microsoft's takedown operations, which ended on Oct. 18. This phishing campaign resumed on Oct. 20 - so only two days after Microsoft ended their takedown operations," Juliette Cash, Area 1 Security's principal threat researcher, tells Information Security Media Group.
Also in late October, the FBI and the U.S. Cybersecurity and Infrastructure Security Agency warned about a recent series of attacks, aimed at U.S. hospitals, that attempted to infect networks with Ryuk ransomware. The agencies noted the campaign had ties to Trickbot (see: US Hospitals Warned of Fresh Wave of Ransomware Attacks).
The phishing campaign that Area 1 uncovered starts with a message sent to a victim informing them that they have been fired from their job due to budget cuts stemming from the COVID-19 pandemic, according to the report.
"The phishing messages are very simple in their demand, and appear to originate from persons of authority within the targeted company," according to Area 1.
The emails contain a link that opens either a Google Doc or a Constant Contact file that is supposed to contain a list of other employees who have been terminated, according to the report. When opened, these decoy documents display another link that tells the victim: "If download does not start, click here."
The second link is a malicious executable that will download either the Bazar backdoor, the Buer loader or both, according to the report. The researchers also found that the malware attempted to decrypt another payload, which turned out to be Trickbot.
Once the backdoor is downloaded and successfully run, that attacker can remotely execute commands, exfiltrate sensitive data and deploy other payloads, according to the report. "These additional payloads range anywhere from post-exploitation frameworks like CobaltStrike to ransomware like Ryuk."
This phishing campaign, which started in October, is similar to another Trickbot-related campaign that security firm Zscaler uncovered, which started in early September.
"What's interesting is that this [September] campaign also used the Buer loader, which is the first time we have seen these two malware strains used together," the Zscaler researcher wrote at that time. "Use of the Buer loader by the TrickBot gang comes as no surprise as this group is known to work with different malware groups. In the past, the TrickBot gang has also worked with other botnets, such as Emotet."