BazarBackdoor malware is infecting devices once more. This time, the cybersecurity researchers spotted that the new phishing strategy relies on CSV text files, the tools that are used to install this trojan.
What's a CSV File?
CSV or the comma-separated values file is a special file composed of data that is divided by commas. Usually, there's a description or a header in the first line of the text.
As a reference, Bleeping Computer wrote that the US states' capital can be written in a simple CSV file. The commas serve as a separating tool for the columns which contain data.
When you open this file through Microsoft Excel, you can only see the texts in every line. Some people used CSV to transfer data to another application such as password managers or a database.
However, the Excel app has a noticeable downside in terms of executable commands. The output might be manipulated through the Dynamic Data Exchange (DDE) feature.
As a result, the hackers could make use of this to install malware and infect the users' devices by executing different commands.
Related Article: TrickBot Malware Now Comes With Extra Protections, Can Now Bypass Real-Time Web Injections
Phishing Campaign Promotes BazarBackdoor
Chris Campbell, a malware spotter on Twitter, has recently posted that the notorious trojan was spreading infection using CSV files. With that, the threat actors now gained access to the system after the BazarBackdoor malware was installed.
More importantly, users should pay attention to the suspicious links that direct them to an unknown CSV destination. To carry out the phishing attacks, the hackers used emails masquerading as "Payment Remittance Advice."
Upon closely observing the data in the file, one column has a suspicious "WMIC" call which could prompt commands from PowerShell.
If the threat actors bypassed the permission for WMIC.exe, they could now input information by executing a PowerShell command right away.
For this incident, the cybercriminals reportedly used this executable command to open a Powershell process. This would later direct the person to a "remote URL."
To make it clear, permitting both prompts to operate will result in the launch of PowerShell scripts via Excel. When this happens, the hackers can now download the DLL. From there, they could now initiate a process to install BazarBackdoor in a system or device.
Phishing Trap Victimizes More People
The case caught the attention of Vitali Kremez, the CEO of AdvIntel who said that more people have been falling for this scheme.
"Based on our visibility into the BazarBackdoor telemetry, we have observed 102 actual non-sandbox corporate and government victims over the past two days from this phishing campaign," Kremez said.
The malware was also involved in an incident that took place in November 2021. ZDNet reported that BazarBackdoor exploited a special app feature in Windows 10.
To browse more articles about cybersecurity, check Tech Times' latest report about FBI's warning to Beijing Winter Olympics athletes and audiences. You can also read our written story about the MoonBounce malware uncovered by Kaspersky.
Read Also: FBI Allegedly Bought Pegasus Spyware From NSO Group
This article is owned by Tech Times
Written by Joseph Henry