FORTINET, INC.

(FTNT)
Fortinet : New Bazar Trojan Variant is Being Spread in Recent Phishing Campaign – Part I

02/12/2021 | 01:34pm EST
FortiGuard Labs Threat Research Report

Affected platforms: Microsoft Windows
Impacted parties: Windows Users
Impact: Control and Collect sensitive information from victim's device, as well as delivering other malware.
Severity level: Critical

Bazar (which has been classified as the Team9 malware family being developed by the group behind Trickbot) is a backdoor Trojan designed to target a device, collect sensitive information, control the system via commands, and deliver malware. Last year, it was observed delivering the TrickBot malware.

FortiGuard Labs recently noticed a suspicious email through the SPAM monitoring system. This email was designed to entice a victim into opening a web page to download an executable file. Additional research on this executable file found that it is a new variant of Bazar. In this post you can expect to learn what new techniques this Bazar uses to perform anti-analysis, how it communicates with its C2 server, what sensitive data it is able to collect from the victim's device and how it is able to deliver other malware onto the victim's system.

Phishing Email and Download Page

To validate our assessment, we captured some of Bazar's previous phishing emails and their content are similar. They lure the recipient into opening a webpage to view a pdf version of a fake bonus report, fake customer complaint report, or fake billing statement, etc. You can see two examples in the following Figures, which were captured on Jan 20 and Jan 27, 2021.

Disclaimer

Fortinet Inc. published this content on 12 February 2021 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 12 February 2021 18:34:06 UTC.


© Publicnow 2021
