A new phishing campaign is attempting to lure victims into downloading the latest version of a malware trojan – and it has links to one of the most prolific cyber-criminal operations active in the world today.
The Bazar trojan first emerged last year and a successful deployment of the trojan malware can provide cyber criminals with a backdoor into compromised Windows systems, allowing them to control the device and gain additional access to the network in order to collect sensitive information or deliver malware, including ransomware.
The backdoor has been used in attacks targeting industries including healthcare, technology, manufacturing and logistics across North America and Europe. Researchers have linked it to the developers of Trickbot, one of the most common forms of malware for criminal hackers looking to gain entry to networks.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
Now cybersecurity researchers at Fortinet have identified a new variant of Bazar trojan, which has been equipped with anti-analysis techniques to make the malware harder for anti-virus software to detect.
These include hiding the malicious APIs in the code and only calling on them when needed, additional code obfuscation, and even encrypting certain strings of the code to make it more difficult to analyse.
The new techniques were added to Bazar towards the end of January and coincided with a phishing campaign designed to distribute the updated version of the malware.
Themes used by the phishing emails designed to draw interest from potential enterprise victims include fake customer complaint reports, fake billing statements and the phony offer of a financial bonus.
No matter the theme of the email, the Bazar trojan phishing attacks attempt to encourage a potential victim to click a link that claims to redirect to a PDF containing additional information about the subject of the message.
These links lead to a malicious web page referencing the initial email and directs users towards downloading a file – it’s this which downloads Bazar to the system and executes the installation process for the malware.
Once completed, the attackers have a backdoor onto the compromised system that they can either use for their own malicious purposes, or sell on to other cyber criminals to exploit.
Fortinet warns that this particular Bazar phishing campaign remains active and attempted attacks are frequently being detected.
SEE: Network security policy (TechRepublic Premium)
In order to avoid falling victim to phishing attacks distributing Bazar or any other kind of malware, researchers recommended that organisations provide guidance to employees on how to identify and protect themselves from attacks and scams.
Organisations should also ensure they have a patching strategy in place, which prevents malware from being able to exploit known vulnerabilities as a means of gaining access to networks.