Phishing Campaign Threatens Job Security, Drops Bazar and Buer Malware

“You’re fired…..NOT!” An ongoing and rapidly evolving spear phishing campaign is threatening targets with false claims of employment termination due to economic impacts from the global pandemic, among numerous other coercive tactics. The goal of the attacker is to intimidate employees into clicking on a link that will ultimately lead to Bazar or Buer malware infections by way of Trickbot.

Disruption Efforts

Researchers at Zscaler ThreatLabZ reported on similar activity, where they noted this was the first time they have seen both Bazar and Buer malware strains used together. Additionally, they have associated the activity with the Trickbot gang, known to use a combination of different malware groups and bots to conduct attacks.

While Trickbot started out as a banking trojan, known for hijacking victims’ browser sessions once logged into their banking website, it has since been repeatedly repurposed for other objectives, including the ability to spread ransomware. This particularly maniacal and disruptive aspect of Trickbot functionality made it a top contender for possible cybersecurity threats to the 2020 U.S. presidential election.

With ransomware as an option, Trickbot posed a significant threat to U.S. election infrastructure. The malware’s operators had the ability to compromise a massive number of voting machines during critical times in vote counting, undermining trust in the result. That, or they may have even been able to disrupt the voting process altogether by affecting entire voting locations, preventing large portions of the voter population from casting their ballots.

This could explain the recent wave of Trickbot takedown efforts. A report from KrebsonSecurity provided details of an operation that likely began on September 22nd and is conjectured to be a government counter-strike against the actors behind Trickbot. This activity, first identified by Intel471 and possibly conducted by the U.S. Cyber Command, attempted to disrupt Trickbot infrastructure by forcing the botnet’s controllers to issue bogus configurations.

These configurations swapped real controller IP addresses for the localhost address (, preventing bots from calling home to receive commands. Not long after the phony configurations were sent, all known controllers appeared to have stopped properly responding to bot requests, suggesting the overall activity was a concerted, intentional effort to disrupt this pervasive botnet’s operations.

Another attempt was made on October 1st, presumably by U.S. Cyber Command, that similarly altered the controller IP addresses needed to receive commands. Compounding the effects of this effort, Microsoft also attempted disruptions of Trickbot infrastructure by obtaining a court order to disable the botnet’s IP addresses, among other actions. Most recently, Microsoft issued an update that they successfully took down 62 of the 69 Trickbot servers around the world with the remaining being unorthodox IOT devices.

However, these attempts reportedly would only have a short-term effect on Trickbot controllers since its operators use decentralized infrastructure that communicates over Tor, with blockchain-based EmerDNS as a fallback that is resistant to takedowns. Additionally, Ars Technica reports that Trickbot controllers are beginning to host their malware on other e-criminals’ servers.

Area 1 Security’s Findings on Trickbot Payloads

Unsurprisingly, not long after the previously mentioned Trickbot takedown operations occurred, Area 1 Security identified a prolific phishing campaign that intended to spread Bazar and Buer payloads via Trickbot. Worse yet, this newer stealthy malware in Trickbot gang’s arsenal of tools can be used to deploy additional malware, including ransomware.

Area 1 Security researchers found evidence that the BazarLoader dropped in this campaign will not continue with the infection if the locale of the victim’s device is in Russia, a common tactic seen with Trickbot.

In fact, cyber security researchers believe Trickbot is the handiwork of cybercriminals operating out of Russia. Since at least 2019, this group has been responsible for a surge in ransomware attacks targeting schools systems, local governments and even law enforcement agencies in the United States.

Potential for Election Interference

While these e-criminal groups have always been operating at some level in recent years, their activity has surged in the lead-up to the 2020 U.S. Presidential election. This suggests that entities involved in the U.S. election are prime targets for foreign adversaries, both nation-state and cybercriminal groups alike.

Lining up with the recent FBI/DNI press conference, Russian and Iranian state-sponsored groups are confirmed to have exfiltrated voter registration information. Additionally, these nations are behind separate email spoofing campaigns designed to undermine faith in the U.S. election.

At the moment, it is unclear if the phishing campaign that Area 1 Security identified is being carried out by any of these groups or if it is purposefully targeting election administrators. Regardless, state and local election administrators should be extra vigilant as they tend to be highly vulnerable to phishing attacks, as highlighted in Area 1 Security’s recent “Phishing Election Administrators” report.

Threatening Phishing Lures

The recent phishing campaign that Area 1 Security discovered uses a number of lures that threaten job termination in order to intimidate employees into clicking on a provided URL. The phishing messages are very simple in their demand, and appear to originate from persons of authority within the targeted company, as seen in the phishing email below (Figure 1).

[Figure 1. Phishing Messages that Threaten Job Security]

The messages identified in this campaign are based on eliciting fear from the target audience, focusing on either employment termination or customer complaints.

The massive remote workforce transition, and the resultant decrease in face-to-face contact, gives attackers the advantage by making email delivery of these types of “employment notifications” all the more believable.

Targets of this campaign could potentially believe that the post-COVID shake up in their organizations is the reason they’re being let go. With many businesses closing down unusable office space, combined with an economic recession, there is enough plausibility for this wide-ranging phishing attack to fool employees into believing that their position may be part of the now all-too-common budget cuts.

It’s possible this Bazar and Buer campaign is part of the Trickbot operations that Microsoft and other partners are trying to defeat. If so, the activity Area 1 Security observed only further proves just how difficult it can be to counteract these complex malware operations.

With these Trickbot operations, threat actors have a litany of unique and ever-changing email accounts and IP addresses to execute their attacks. Despite the previously mentioned efforts to neutralize Trickbot controllers, the infrastructure used to support this particular campaign (if associated in any way) was hardly affected, and the attacker seems to have promptly resumed operations.

While disruption operations may have worked a decade ago, the Trickbot gang and other groups that rely on their Malware-as-a-Service (MaaS) offering are equipped with the necessary skills to continue their attacks without a hitch. Current botnets have all the professionalism of any IT company. They’re able to manage disruptions and bring back services with continuity planning, backups, automated deployment, and a dedicated workforce.

The campaign noted above centered on termination-related documents available at a provided URL. When clicked, the link directs the victim’s browser to either Google Docs or Constant Contact. By not attaching the malware as a file to the email, the attacker is able to bypass file scanning detections.

Moreover, attackers commonly use cloud-based hosting services to circumvent URL scanning techniques, and to easily create new malicious links in the event that their URLs are identified as phishing pages.

The Google Docs or Constant Contact link in the phishing email leads to a decoy preview page, as shown in Figure 2, that prompts the victim to open a list of terminated employees. The decoy also cleverly displays the often seen “If download does not start, click here”. This link is where the malware is actually being hosted.

At the moment, it is unclear if the phishing campaign that Area 1 Security identified is being carried out by any of these groups or if it is purposefully targeting election administrators. Regardless, state and local election administrators should be extra vigilant as they tend to be highly vulnerable to phishing attacks, as highlighted in Area 1 Security’s recent “Phishing Election Administrators” report.

Threatening Phishing Lures

The recent phishing campaign that Area 1 Security discovered uses a number of lures that threaten job termination in order to intimidate employees into clicking on a provided URL. The phishing messages are very simple in their demand, and appear to originate from persons of authority within the targeted company, as seen in the phishing email below (Figure 1).

[Figure 2. Google Doc Decoy Preview Page with Redirect Link]

Analysis of Bazar and Buer Malware

As seen in the figure below, after clicking on the link found in the online document, the victim is presented with a dialog box to run the file. The file is actually a malicious PE32+ executable that is designed to run on all Windows systems.

[Figure 3. Gaining Run Permission]

After clicking “Run,” a series of events will take place on the victim’s device that will ultimately lead to installation of the Bazar backdoor or Buer loader.

First, the PE32+ executable noted above will decrypt the payload using an RC4 cipher, a portion of which is provided in Figure 4 below. The payload happens to be none other than Trickbot, and typically the RC4 key is changed for each iteration of the malware.

[Figure 4. RC4 decryption of Trickbot Payload]

As detailed in Figure 5, Area 1 Security researchers identified the string “dave” at the end of the Trickbot payload in memory, which is consistent with prior reporting on techniques employed by Emotet and Trickbot malware developers. This string reveals the attacker’s use of a custom packer to compress and encrypt the file, making it difficult for malware researchers to analyze the payload.

[Figure 5. “Dave” signature]

Despite this anti-reversing technique, Area 1 Security discovered the Trickbot payload attempts to further infect the victim device by decrypting and running the BazarLoader.

What are malware loaders? Loaders are an essential function that allow attackers to gain a foothold in a network and enable subsequent, more persistent infection via their command and control servers. This tactic opts for stealth by initially loading as little functionality as necessary.

In this case, the BazarLoader in turn attempts to download the Bazar backdoor via a blockchain DNS lookup table. This is a great tactic for attackers as it circumvents the need for registrars, giving full ownership of the blockchain domain to the attackers. This way, domain custodians like GoDaddy or Google Domains can’t seize the domain if malicious activity is observed, nor will they have the ability to share information about the domain if served a court order.

Similar to bitcoin, Top Level Domains (TLDs) like .bit, .bazar, and .coin are not owned by a single authority but instead shared over peer-to-peer networks. This offers users the ability to bypass censorship and other government restrictions, but also provides a platform for attackers to conduct illicit activities that are safe from typical countermeasures.

As shown in Figure 6, to download the backdoor, the loader loops through eight unique IP addresses and five domains under the EmerDNS .bazar TLD.

[Figure 6. Attempted Outbound Connections to Download the Bazar Backdoor]

The second level domains are comprised of 12 alphabetical characters that are generated using a specific domain generation algorithm. The malware runs through the list of generated .bazar domains to find one that is still actively hosting the backdoor.

Once the backdoor is downloaded and successfully run, that attacker can carry out any number of devious acts, including remotely executing commands, exfiltrating sensitive data, and deploying other payloads. These additional payloads range anywhere from post-exploitation frameworks like CobaltStrike to ransomware like Ryuk.

In fact, Trickbot is known to deliver Ryuk ransomware to devices via BazarLoader. In one instance, after the initial Bazar infection, attackers exploited a recently disclosed vulnerability to escalate privileges and gain domain-wide ransomware infection just five hours after sending their phishing message.

This is unfortunately just one of many possible outcomes that can result from successful infection via this Trickbot phishing campaign we intercepted.

How to Stop Evolving Trickbot Campaigns

The threat actors behind this campaign leveraged a number of sophisticated techniques to easily evade legacy vendors and cloud email providers. Linking to legitimate, cloud-based sites within the phishing messages, combined with the use of takedown- and sinkhole-resistant EmerDNS TLDs, makes this a particularly difficult campaign for standard defenses to detect.

Area 1 Security‘s advanced Machine Learning and Artificial Intelligence technology allow our algorithms to uncover the clever tactics seen in this campaign, enabling us to block the messages in real time instead of waiting days or weeks for signature updates. Our time-zero detections lead the industry with reliable verdicts that stop phishing attempts at delivery time.

This means that malware like Trickbot, the Bazar backdoor, and follow-on infection with ransomware, never have the opportunity to make their way onto our customers’ devices. The key to stopping sophisticated malware campaigns such as these is a preemptive approach, which has many advantages over post-delivery retraction, and prevents the user from ever being exposed to the attack.

Indicators of Compromise

Phishing Email Subject Lines:

  • Re: Termination List
  • RE: termination,
  • Re: my visit and call
  • Re: meeting of
  • RE: office
  • RE: office,

Malicious PE32+ Executable Linked to in Decoy Document:

Sha1: 895d84fc6015a9ad8d1507a99fb44350fb462c79

Sha256: a3b2528b5e31ab1b82e68247a90ddce9a1237b2994ec739beb096f71d58e3d5b

Md5: dbdb5ddd07075b5b607460ea441cea19

Sites Hosting Malicious PE32+ Executable:




Malicious Links in Phishing Messages:









Outbound BazarLoader DNS Requests for Analyzed PE32+ Executable (Port 53):









Blockchain Domains for Analyzed PE32+ Executable:






Want to keep up to date with the latest phishing trends? 

Subscribe to our newsletter here!


How to replace your email gateway with Cloudflare Area 1

Leaders and practitioners responsible for email security are faced with a few truths every day. It’s likely true that their email is cloud-delivered and comes with some built-in protection that does an OK job of stopping spam and commodity malware.

Introducing email link isolation – Email gateway replacement playbook

This week was a big one for us at Cloudflare, one of our four innovation weeks which we hold annually, showcasing new developments, product news and reference architectures.

Superhero strategies for the Phish Fight

Today is National Superhero Day, and we would like to dedicate this day to you—the SOC teams and the security experts on the frontline of the phish fight.