Ofer Caspi, a fellow Alien Labs researcher, co-authored this blog.
AT&T Alien Labs actively tracks the TrickBot group through an automated malware analysis system, hunting, and in-depth technical research. On April 20th, 2020 independent security researchers “pancak3lullz” (@pancak3lullz) and Vitali Kremez (@VK_Intel) posted a Tweet regarding two new TrickBot modules aptly named “BazarLoader” and “BazarBackdoor” after attempted Command and Control (C2) communications with the Emercoin DNS (EmerDNS) .bazar domains. EmerDNS is desirable for attackers because it is a distributed blockchain that is decentralized, cannot be censored, and cannot be altered, revoked or suspended by any authority. Alien Labs’ automated malware analysis engine had picked up these samples a few days earlier (Ex: 7c93d9175a38c23d44d76d9a883f7f3da1e244c2ab6c3ac9f29a9c9e20d20a5f)