One of the latest types of Trojan Horse malware developed, a stealthy program known as BazarLoader, is being increasingly utilised by TrickBot operators to target high-value victims in Ryuk ransomware attacks.

For some time now, the cybercriminal gang TrickBot has been using its own Trojan horse to compromise organisation’s networks, fooling them into using a variety of software modules that have a malicious and specific purpose like spreading infection to multiple machines, stealing user credentials like passwords, and appropriating a domain’s dedicated Active Directory (AD) database.

As cybersecurity experts have analysed these modules extensively over time, defensive solutions have now become far more effective at spotting them, resulting in fewer enterprises being fooled. However, a new report has noted that operators are mixing up their tactics now and adopting the less detectable BazarLoader Trojan instead.

A change of tactics for TrickBot operators

Security researchers at Advanced Intel led by cybersecurity expert and ethical hacker Vitali Kremez, have discovered that operators have stopped using the TrickBot Trojan and are now favouring BazarBackdoor. Backdoor Trojans make it possible for cybercriminals to control infected devices remotely, allowing them to perform variety of actions such as deleting, sending, receiving, and viewing private data. They are also commonly used to create botnet networks that enslave computers combining their functions for criminal activity.

Kremez stated that Bazarbackdoor’s covert nature and minimal functionality provide the malicious program it with a simplicity that enables it to blend in better making it suitable for high-value victim attacks.

Anatomy of a ransomware attack using BazarLoader

An attack employing the BazarLoader Trojan Horse will typically begin with a phishing attempt via email. After it has successfully fooled the recipient into downloading the malware and activating it, the Trojan will infect the device. Using process hollowing, BazarLoader will install the insidious component known as Bazarbackdoor, injecting it into legitimate processes within Windows, like explorer.exe, cmd.exe or svchost.exe. At this point a task is created and scheduled that will ensure BazarLoader is launched each time someone logs onto the system.

When ready, Bazarbackdoor will then launch a beacon with Cobalt Strike, which gives threat operators access remotely to install any exploitation tools they wish to, allowing them to map the Windows domain and extract any user credentials that may prove useful.

For the final step of the attack strategy, the malicious operators will deploy Ryuk ransomware across the whole network, locking enterprise staff out of systems and services and inhibiting access to data files by encrypting them. A ransom note is then left, sometimes using a dedicated landing page, requesting a large payment in cryptocurrency.

Due to the time-consuming and expensive operations that involve a substantial amount of human activity, cybercriminal experts such as Kremez believe BazarLoader is likely to be reserved for assaulting a select list of victims. He said:

“The downside of hunting with BazarBackdoor is that it requires an expensive exploitation operation to pivot from the infections.”

For the near future, it would seem, the TrickBot Trojan will stay the weapon-of-choice for mass-distribution network attacks by hackers.