BazarBackdoor Malware Distributed via Corporate Website Contact Forms
Threat Actors Employ Different Techniques to Bypass Detection.
Threat actors are employing a new technique and leveraging website contact forms instead of common phishing emails to deliver BazarBackdoor. This helps them bypass security software detection.
What Is BazarBackdoor?
The BazarBackdoor malware is typically distributed by means of phishing emails that encompass malicious documents. These documents have further the ability to malware download and install.
What’s new is because systems like secure email gateways have improved their malware droppers detection hackers are starting to change their tactics too.
BazarBackdoor Is Now Distributed Through Contact Forms
Researchers from Abnormal Security have released a new report where they described thoroughly that the malicious campaign leveraging BazarBackdoor began in December last year. The underlined that the probable purpose was represented by Cobalt Strike or ransomware payloads deployment purposes.
Hackers have started however to change their way of distributing this type of malware as instead of employing phishing emails, they use for communication initialization corporate contact forms.
There are two primary purposes for choosing this method for initial communication. It disguises the communication as a request that could be reasonably expected to be received through an online request form. It circumvents potential email defenses since the request would be delivered through a legitimate sender and does not contain any malicious content. Once the contact form request has been submitted by the attacker, they simply wait until someone at the target company reaches out to them to follow up. From the perspective of an email system, the target company is initiating conversation with the attacker rather than the other way around.
As BleepingComputer mentions, the researchers noticed a case where the cybercriminals pretended to be employees working at a Canadian construction enterprise that made a request for a product supply quote.
Following the employee’s response to the phishing email, the hackers reply with a malicious ISO file allegedly relevant in terms of possible negotiation.
Threat actors employ file-sharing platforms like TransferNow and WeTransfer because sending out files directly is not possible as this would result in security alerts.
A.lnk file and a.log file are included in the ISO archive attached. The objective is to avoid AV detection by performing payloads encryption and determining the user manually extracts them after the download phase is completed.
A command instruction that has the role of opening a terminal window by means of existing Windows binaries and further loading the .log file can be found within the .lnk file. The .log file represents actually a BazarBackdoor DLL.
Then, the backdoor will be inserted into the svchost.exe process and communicated with the command and control (C2) server to accept directives to execute.
The researchers were unable to collect the second-stage payload because many of the C2 IPs were unavailable when they conducted the investigation, hence the campaign’s ultimate purpose has not been discovered yet.
With a process injection technique, the DLL uses svchost.exe service to evade detection and establish a connection with their command and control (C2) server at the IP address 13.107.21[.]200 using port 443. (…) At the time of this investigation, some of the C2 IP addresses were down, and the others were not able to download the second stage of the attack. This leaves some level of uncertainty as to the intended second stage malware payload.