Roman Marshanski & Vitali Kremez write:
BazarBackdoor is the newer preferred stealthy covert malware leveraged for high-value targets part of the TrickBot group toolkit arsenal. It consists of two components: a loader and a backdoor. [1]
Loaders are an essential part of any cybercrime campaign. They start the infection chain by distributing the payload. In essence, they deploy and execute the backdoor from the command-and-control (C2) layer and plant it on the victim’s machine. But the reality is far more complicated than that. After all, loaders and backdoors must be able to evade detection by various security mechanisms. And that is where the malware developers’ focus on malware stealthiness comes into play.
Just like professional penetration testers, the crime group behind the BazarBackdoor employs legitimate penetration software kit Cobalt Strike for post exploitation for enumerating and harvesting credentials for network hosts and active directory, uploading third-party software like Lasagne and BloodHound as well pivoting inside the network domain executing Ryuk ransomware.
Read more on AdvIntel.
The authors also include a list of revoked certificates used by BazarLoader. If you sometimes ignore warnings about revoked certificates and continue on to sites, think about what you could be exposing yourself to. At least, be aware to avoid these revoked certificates:
-
VITA-DE d.o.o.
-
VB CORPORATE PTY. LTD.
-
VAS CO PTY LTD
-
THE FLOWER FACTORY S.R.L.
-
SLIM DOG GROUP SP Z O O
-
BlueMarble GmbH
-
PLAN CORP PTY LTD
-
PEKARNA TINA d.o.o.
-
PAMMA DE d.o.o.
-
LIT-DAN UKIS UAB
-
James LTH d.o.o.
-
FLORAL
-
D Bacte Ltd
-
Company Megacom SP Z O O
-
Cebola Limited.
And of course, there’s a lot more detail and helpful information in the full article.