While the number of BazarLoader detections increased in the third quarter, two new delivery methods have been added to the list of delivery mechanisms used by threat actors for data theft and ransomware. Malicious actors combine BazarLoader with genuine products, hence one of the approaches involves using corrupted software installers. The second approach involves loading a Windows link (LNK) and dynamic link library (DLL) payload into an ISO file. The Americans have been discovered to have the highest amount of BazarLoader attacks.
Researchers detected the tainted versions of VLC and TeamViewer software included with BazarLoader, according to reports. While the original delivery technique has yet to be discovered, it's possible that the use of these packages is part of a bigger social engineering campaign aimed at convincing individuals to download and install infected installers. A BazarLoader executable is dumped and executed when the installers load. It's also one of the most noticeable differences from recent BazarLoader arrival approaches, which appeared to support dynamic link libraries (DLL).
Meanwhile, a distribution technique based on ISO files has been uncovered, in which the BazarLoader DLL is launched via DLL and LNK files included in the ISO files. The LNK file uses a folder icon to fool the user into double-clicking it, letting the BazarLoader DLL programme to be launched. The "EnterDLL" export function, which was recently used by BazarLoader, is then called. Before injecting itself into a suspended MS Edge process, Rundll32.exe launches the malicious DLL and connects to the C&C server.
As threat actors change their assault techniques to avoid detection, the number of arrival mechanism modifications utilized in BazarLoader campaigns continues to rise. Due to the limitations of single detection methods, both techniques are significant and still work despite their lack of novelty.
While the usage of compromised installers has been seen with other malware, the huge file size might still pose a problem for detection systems, such as sandboxes, that apply file size constraints. LNK files used as shortcuts, on the other hand, will very certainly be obfuscated due to the additional layers generated between the shortcut and the malicious files.
BazarLoader will continue to evolve as a standalone information stealer, an initial access malware-as-a-service (MaaS) for other malware operators, and a secondary payload distribution mechanism for even more destructive attacks like modern ransomware. For unknown risks, security teams must deploy multi-layered systems capable of pattern recognition and behavior monitoring, as well as making monitoring and tracking for known dangers more evident based on known data.
