By John Limb, CTO at Braintrace
November 10, 2020 9:45 am ET

BraintraceLabs released research on the current Trickbot/Ryuk attack on the healthcare sector. This week will give an update for Trickbot and also will inform the community on Bazaloader, or BazarBackdoor, which was created by the same people who are behind Trickbot.

Last week, we stated Trickbot is tagged as ono76 and ono77 have a few new tricks, one being a new reconnaissance module named Anchor_DNS that provides connectivity checks for C2 activities and TLS only communications over ports 443, 449. We also observed these versions not working on 32bit windows, with rewritten DLL files for 64bit windows only. Our newest model has Trickbot going above ono76 to ono82, ono91, ono92, and ono95. This has concerned us because Trickbot looks a lot like Bazaloader, using Dragonfly’s EPA analysis.

This information does not surprise us, as we already knew, since April, Bazaloader was created by Trickbot group. What is surprising is Bazaloader and Trickbot are becoming too similar. The trend appears to imply a substantial uptick in BazarBackdoor attacks. Both trojans have a self-signed certificate, the TLS extension’s mission is missing, and both are not carrying HTTPS.

It appears these bad actors are switching up their tactics since there has been so much publicity on Trickbot. Bazaloader is a newer and more stealthy trojan, focusing on port 449 rather than port 443.

Braintrace Dragonfly models are all set to catch Bazaloader and all-new variations via our Encrypted Payload Analytics (EPA) and our domain generation algorithm (DGA) sensors.

If you have any questions or concerns about Trickbot and Ryuk. Please feel free to contact us at