A new method of social engineering spreads this malware, and it is very easy to fall for it. Here’s what it does and how to avoid it.

Image: djedzura/iStock

Everyone in the IT industry should by now know that email is the most common vector used by cybercriminals to attempt to infect employees with malware. Yet when they are first approached through their website contact form, things may seem different and entirely legitimate, creating a false sense of security. Here’s how this new method of social engineering was used to spread the infamous BazarLoader malware, and how to protect yourself from it.

What is BazarLoader and what is its threat?

BazarLoader is stealth and advanced malware used as top level infector. Once a computer is infected with it, it downloads other malware and executes it. BazarLoader is designed to be very stealthy, resilient and has been used in the past for campaigns involving multiple types of malware like TrickBot, Ryuk ransomware and Conti ransomware to name a few. It is believed to have been developed by the Trickbot gang.

SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)

BazarLoader uses the EmerDNS system, which consists of a blockchain on which domain name registrations are completely decentralized and uncensored, which is something Emercoin clearly states (Figure A).

Figure A

Image: Emercoin.  Description of Emercoin from EmerDNS.
Image: Emercoin. Description of Emercoin from EmerDNS.

This makes the malware very resilient because no one except the person in possession of the private key to the domain blockchain can stop it.

Besides being technically highly advanced, BazarLoader’s controllers have used innovative ways to spread it and infect users over time. For example, they used emails with no links or attachments, claiming to be a company whose free trial service would expire soon and the recipient’s credit card would be charged within a day or two to pay for the service. ‘subscription. To reverse this payment, the user had to call a number operated by the fraudsters. They would then provide a link to infect the user. This technique is particularly suitable for circumventing any threat detection, since no link or file was sent by email. They also used compromised software installers from VLC and Teamviewer in order to infect their targets.

BazarLoader’s new distribution channel: the site’s contact forms

Abnormal recently discovered an innovative new way for BazarLoader controllers to spread their malware and infect users.

In this new infection scheme, cybercriminals first make initial contact through contact forms on organizations’ websites. The example provided by Abnormal, a cybersecurity company, exposes an attacker claiming to be a Canadian luxury construction company seeking a quote for a product provided by the target.

After the target responds via email, the attacker establishes their cover identity before using social engineering methods to trick the victim into downloading a malicious file, which will infect the computer with a variant of the malware BazaarLoader.

In the example reported by Abnormal, a first email response from the attacker mentions additional information that will arrive in a separate email (Figure B).

Figure B

Image: abnormal.  The attacker's email response.
Image: abnormal. The attacker’s email response.

In less than a minute, the attacker’s second email lands in the victim’s mailbox, coming from the online services TransferNow or WeTransfer (Figure C).

Figure C

Image: abnormal.  The TransferNow email containing the download link to the malicious file.
Image: abnormal. The TransferNow email containing the download link to the malicious file.

The downloaded file is not the usual .exe file or an infecting XLSX or DOCX file that one would expect.

The file is a two-component .ISO file. The first pretends to be a folder but is actually a .LNK shortcut, while the second is a DLL file pretending to be a .LOG file (Figure D).

Figure D

Image: abnormal.  Files contained in the .ISO file sent by the attackers.
Image: abnormal. Files contained in the .ISO file sent by the attackers.

Once the shortcut is clicked, it executes a command line instruction to launch the second file via regsvr32.exe. This second file is a BazarLoader DLL file.

The final stage, BazarLoader grabbing another malware and launching it, could not be found by Abormal. However, the sample attempted to connect to an IP address that has already been reported as spreading ransomware, a Trojan, or a bitcoin miner.

How to stay safe from this kind of attack

The attack exposed in this article relies on social engineering, as often. The attacker makes initial contact via a contact form, then waits for the target to contact him via email and trick him into opening a file from a legitimate online file delivery service. This way, targets could fall into a false sense of opening a secure file, leading to infection.

Each file from an unknown source should be handled with care and not executed immediately. Several steps are helpful in determining whether the file is safe or not:

  • Have the file scanned by a security product that does more than signature-based malware detection.
  • If possible, have the file analyzed in a sandbox, in order to have a behavioral analysis in addition to the static analysis. This analysis should be performed by the IT department or by analysts with in-depth knowledge of malware.
  • If in doubt, open the file in a virtual machine with a snapshot system, so that once the file is run and the scan is complete, the virtual machine can be rolled back to its pre-boot state.

Disclosure: I work for Trend Micro, but the opinions expressed in this article are my own.


Opportunities and Growth in Software Testing Industry by Wipro, Deloitte, Capgemini, Tech Mahindra, IBM, Gallop Solutions - The Bollywood Ticket


9th Circuit Bankruptcy Appeals Board Addresses Refinement of Building Liens in Bankruptcy Proceedings

Check Also