BazarBackdoor Trojan Involved in a New Phishing Campaign | CSV Text Files Used to Spread Malware

BazarBackdoor malware is infecting devices once more. This time, the cybersecurity researchers spotted that the new phishing strategy relies on CSV text files, the tools that are used to install this trojan.

What's a CSV File?

BazarBackdoor Trojan Involved in a New Phishing Campaign | CSV Text Files Used to Spread Malware
Kevin Ku from Unsplash

CSV or the comma-separated values file is a special file composed of data that is divided by commas. Usually, there's a description or a header in the first line of the text.

As a reference, Bleeping Computer wrote that the US states' capital can be written in a simple CSV file. The commas serve as a separating tool for the columns which contain data.

When you open this file through Microsoft Excel, you can only see the texts in every line. Some people used CSV to transfer data to another application such as password managers or a database.

However, the Excel app has a noticeable downside in terms of executable commands. The output might be manipulated through the Dynamic Data Exchange (DDE) feature.

As a result, the hackers could make use of this to install malware and infect the users' devices by executing different commands.

Related Article: TrickBot Malware Now Comes With Extra Protections, Can Now Bypass Real-Time Web Injections

Phishing Campaign Promotes BazarBackdoor

Chris Campbell, a malware spotter on Twitter, has recently posted that the notorious trojan was spreading infection using CSV files. With that, the threat actors now gained access to the system after the BazarBackdoor malware was installed.

More importantly, users should pay attention to the suspicious links that direct them to an unknown CSV destination. To carry out the phishing attacks, the hackers used emails masquerading as "Payment Remittance Advice."

Upon closely observing the data in the file, one column has a suspicious "WMIC" call which could prompt commands from PowerShell.

If the threat actors bypassed the permission for WMIC.exe, they could now input information by executing a PowerShell command right away.

For this incident, the cybercriminals reportedly used this executable command to open a Powershell process. This would later direct the person to a "remote URL."

To make it clear, permitting both prompts to operate will result in the launch of PowerShell scripts via Excel. When this happens, the hackers can now download the DLL. From there, they could now initiate a process to install BazarBackdoor in a system or device.

Phishing Trap Victimizes More People

The case caught the attention of Vitali Kremez, the CEO of AdvIntel who said that more people have been falling for this scheme.

"Based on our visibility into the BazarBackdoor telemetry, we have observed 102 actual non-sandbox corporate and government victims over the past two days from this phishing campaign," Kremez said.

The malware was also involved in an incident that took place in November 2021. ZDNet reported that BazarBackdoor exploited a special app feature in Windows 10.

To browse more articles about cybersecurity, check Tech Times' latest report about FBI's warning to Beijing Winter Olympics athletes and audiences. You can also read our written story about the MoonBounce malware uncovered by Kaspersky.

Read Also: FBI Allegedly Bought Pegasus Spyware From NSO Group

This article is owned by Tech Times

Written by Joseph Henry

ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Join the Discussion
Real Time Analytics