Skip to main content

Syndet Backdoor

First observed in late April, Syndet (also known as BazarBackdoor and BeerBot) is a sophisticated backdoor believed to have been created by Trickbot's authors for use in their own campaigns.

Threat ID:
CC-3438
Category:
Backdoor
Threat Severity:
Medium
Threat Vector:
Email spam
Published:
30 April 2020 12:00 AM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

First observed in late April, Syndet (also known as BazarBackdoor and BeerBot) is a sophisticated backdoor believed to have been created by Trickbot's authors for use in their own campaigns.

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

  • Microsoft Windows - All versions

Threat details

Syndet is delivered via highly targeted lure documents distributed in spam email campaigns operated by Sendgrid, a legitimate email marketing service. The emails contain Google Docs links that point to DOC, PDF, or XLS files tailored towards the specific user. When a user interacts with these files an EXE containing an initial dropper, referred to as BazaLoader, is instead downloaded. BazaLoader will sleep for a set period before connecting to a command and control (C2) server using the EmerDNS decentralised DNS resolver, where it then retrieves an XOR-encrypted Syndet payload. BazaLoader then decrypts this payload before using both process hollowing and doppelgänging to inject it into a running process.

Once installed, Syndet will create a scheduled task to run BazaLoader whenever a user logs in. It then downloads and installs the Cobalt Strike post-exploitation toolkit from a secondary EmerDNS-hosted C2 server before awaiting further commands.

Remediation steps

Type Step

To prevent and detect a trojan infection, NHS Digital advises that:

  • Secure configurations are applied to all devices.
  • Security updates are applied at the earliest opportunity.
  • Tamper protection settings in security products are enabled where available.
  • Obsolete platforms are segregated from the rest of the network.
  • IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
  • Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
  • Administrative accounts are only used for necessary purposes.
  • Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
  • Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Indicators of compromise

Main indicators

URLs

  • bestgame[.]bazar
  • coastdeny[.]bazar
  • crowngag[.]bazar
  • eventmoult[.]bazar
  • forgame[.]bazar
  • letcircle[.]bazar
  • newgame[.]bazar
  • portgame[.]bazar
  • rabbitfizz[.]bazar
  • realfish[.]bazar
  • shelfabaft[.]bazar
  • swimchief[.]bazar
  • tallcareful[.]bazar
  • thegame[.]bazar
  • workrepair[.]bazar

SHA256 File Hashes

  • 1e123a6c5d65084ca6ea78a26ec4bebcfc4800642fec480d1ceeafb1cacaaa83
  • 5974d938bc3bbfc69f68c979a6dc9c412970fc527500735385c33377ab30373a
  • 67ffdd2e3cab811ba06287c21133b46bb5d583d7d0ca11dc7aa4e83f026a50cc
  • 7c93d9175a38c23d44d76d9a883f7f3da1e244c2ab6c3ac9f29a9c9e20d20a5f

Last edited: 10 January 2022 5:48 pm