Cybersecurity researchers discovered the new activity of the notorious BazarBackdoor malware. Instead of deploying phishing emails to attack its victims, it now deploys ransomware payloads via website contact forms.
Malicious Website Contact Forms
As security analysts from Abnormal Security pointed out in a report, the BazarBackdoor malware is known for its phishing campaign which it usually uses when deceiving the victims.
When the unaware user clicks a file or a document containing malware, this security threat will automatically be installed in a particular device.
However, as security solutions improve over the past years, the hackers should think of a new plan to invade the internal networks. Instead of sticking to the usual phishing attacks, it came up with a new tactic of using contact forms to spread the malware.
The report stated that the attackers used BazarBackdoor with another goal of using Cobalt Strike to attack the corporate individuals back in December. As an initiation for the action, the contact forms will serve as outlets of infection.
For instance, Abnormal's researchers said attackers faked their identities as employees in a construction firm in Canada. As part of the product supply quote, they will submit a request via email.
The threat actors will take this opportunity to spread infection during the process. What they will do next is to send back a malware-infested ISO file which is an important requirement for the undertaking.
Related Article: BazarBackdoor Trojan Involved in a New Phishing Campaign | CSV Text Files Used to Spread Malware
Threat Actors Use File-Sharing Apps
To evade security alerts from the systems if malware or suspicious link is present, the cybercriminals will have to utilize WeTransfer and other file-sharing apps.
Similarly, Abnormal cybersecurity firm took note of the incident that occurred in August. At that time, the experts discovered that the BazarBackdoor was being installed to the contact forms via fake DMCA
In April of the same year, the analysts also detailed out that the group behind these attacks made use of contact forms to deploy IceID banking trojan and other malware variants.
BazarBackDoor Can Evade AV Detection
Another thing that threat actors consider with regards to using this stealthy malware is its ability to evade AV detection. This can be done by the manual extraction of payloads after the download process.
According to Bleeping Computer's report, the BazarBackdoor DLL masquerades as a command instruction encapsulated in the.Ink file.
Upon loading the backdoor, the scchost.exe process will be initiated. The injection of the malware will start and the remote code execution will follow.
Per the analysis of Abnormal's researchers, they were not able to retrieve the payload on the second stage because of the offline C2 IPs. As of the moment, they still do not know the true intention of the hackers behind this malicious scheme.
In another article, TrickBot malware reportedly closed its operations following some findings which point out the group's inactivity. The researchers believed that its developers might be focusing now more on ransomware deployments.
Elsewhere, a surge in mobile malware cyberattacks was recently observed by the Proofpoint cybersecurity team.
Read Also: LinkedIn Job-Hunting? Beware of Phishing Scams as It Surges to 232% Since Feb. 1 | How to Avoid
This article is owned by Tech Times
Written by Joseph Henry