2 cyber-attack campaigns are now using unique social-engineering techniques.
The Bazar Loader malware is using worker trust in collaboration tools like Slack & Basen Camp, in email messages with links to malware payloads, researchers commented.
In a secondary campaign aimed at consumers, the attackers have added a voice-call element to the attack chain.
Executing Additional Modules
The Bazar Loader downloader, written in C++, has the primary function of downloading & executing additional modules. Bazar Loader was 1st observed in the wild last April & since then researchers have observed at least 6 variants, “signalling active & continued development.”
It has been recently seen being used as a staging malware for ransomware, particularly Ryuk.
“With a focus on targets in large enterprises, Bazar Loader could potentially be used to mount a subsequent ransomware attack,” according to an advisory from Sophos, issued on Thurs.
Abuse Slack & Base Camp
According to researchers at Sophos, in the 1st campaign spotted, adversaries are targeting employees of large organisations with emails that pretend to offer important information related to contracts, customer service, invoices or payroll.
“One spam sample even attempted to disguise itself as a notification that the employee had been laid off from their job,” according to Sophos.
The links inside the emails are hosted on Slack or Base Camp cloud storage, meaning that they could appear to be legitimate if a target works at an organisation that uses 1 of those platforms. In an era of remote working, those odds are good that this is the case.
Digitally Signed Executable
“The attackers prominently displayed the URL pointing to 1 of these well-known legitimate websites in the body of the document, lending it a veneer of credibility,” researchers said. “The URL might then be further obfuscated through the use of a URL shortening service, to make it less obvious the link points to a file with an .EXE extension.”
If a target clicks on the link, Bazar Loader downloads & executes on the victim’s machine. The links typically point directly to a digitally signed executable with an Adobe PDF graphic as its icon. The files Perpetuate the ruse, with names like presentation-document.exe, preview-document-number.exe or annualreport.exe, researchers noted.
Windows Command Shell
These executable files, when run, inject a DLL payload into a legitimate process, such as the Windows command shell, cmd.exe.
“The malware, only running in memory, cannot be detected by an endpoint protection tool’s scans of the filesystem, as it never gets written to the filesystem,” explained researchers. “The files themselves don’t even use a legitimate .DLL file suffix because Windows doesn’t seem to care that they have one; The OS runs the files regardless.”
‘Bazar Call’ Campaign
In the 2nd campaign, Sophos found that the spam messages are devoid of anything suspicious: There is no personal information of any kind included in the body of the email, no link & no file attachment.
“All the message claims is that a free trial for an online service the recipient purportedly is currently using will expire in the following day or 2 & embeds a telephone number the recipient needs to call in order to opt-out of an expensive, paid renewal,” researchers explained.
If a target decides to pick up the phone, a friendly person on the other side gives them a website address where the soon-to-be-victim could supposedly unsubscribe from the service.
Unsubscribe Button
“The well-designed & professional looking websites bury an unsubscribe button in a page of frequently asked questions,” according to Sophos. “Clicking that button delivers a malicious Office document either a Word doc or an Excel spreadsheet that, when opened, infects the computer with the same Bazar Loader malware.”
The messages initially claimed to originate from a company called Medical Reminder Service, & include a telephone number in the message body, as well as a street address for a real office building located in Los Angeles. In mid-April, the messages adopted a lure involving a fake paid online lending library, called Book Point.
Book Point
The subject lines revolving around Book Point also reference a long number or code, which users are asked to input in order to “unsubscribe.”
In terms of the infection routine, the attackers in these so-called “Bazar Call” campaigns deliver weaponised Microsoft Office documents that invoke commands to drop & execute 1 or more payload DLLs.
Connection to Trick Bot?
Researchers have been suspecting that Bazar Loader could be related or authored by the Trick Bot operators. Trick Bot is another 1st-stage loader malware often used in ransomware campaigns.
Sophos looked into the connection & found that the 2 malwares use some of the same infrastructure for command & control.
“From what we could tell, the Bazar Loade malware binaries running in the lab network bear no resemblance to Trick Bot,” according to the posting. “But they did communicate with an IP address that has been used in common, historically, by both malware families. Of course, a lot of people have studied this connection in the past.”
Encrypt the Strings
Anyway, Bazar Loader appears to be in an early stage of development & is not as sophisticated as more mature families like Trick Bot, researchers added.
For example, “while early versions of the malware were not obfuscated, more recent samples appear to encrypt the strings that might reveal the malware’s intended use,” they concluded.
https://www.cybernewsgroup.co.uk/virtual-conference-may-2021/