BazarBackdoor malware is now spreading via website contact forms instead of typical phishing emails to avoid identification by security software. BazarBackdoor is a stealthy malware made by the TrickBot group, currently under development by the Conti ransomware operation.
The malware offers threat actors remote access to internal devices, the launchpad can use it for further distribution in the network. The malware is usually spread via phishing emails that consist of documents that download and deploy the malware.
But, safe email gateways are now more advanced in catching these malware droppers, distributers are now finding new ways of distributing the malware. In the latest report by Abnormal Security, analysts reveal that a new malware campaign started last year is targeting corporate victims with BazarBackdoor, the goal is most probably to deploy Cobalt Strike or ransomware payloads. Rather than sending phishing emails to targets, hackers first use corporate contact forms to start the communication.
For instance, in many cases observed by cybersecurity experts, the hackers disguised as employees at a Canadian construction firm, submitting a request for a product supply quote. When the employees respond to the phishing emails, the threat actors send back a harmful ISO file related to the organization.
To send these files is impossible as it would trigger security alerts, hackers use file-sharing services like WeTransfer and TransferNow. In a similar case related to the contact form exploit in August, fake DMCA infringement notices were sent via contact forms that installed BazarBackdoor.
How BazarLoaderMalware Hides
"The ISO archive attachment contains a .lnk file and a .log file. The idea here is to evade AV detection by packing the payloads in the archive and having the user manually extract them after download.
The .lnk file contains a command instruction that opens a terminal window using existing Windows binaries and loads the .log file, which is, in reality, a BazarBackdoor DLL," reports Bleeping Computer. Stay connected with CySecurity to know more.
