The operators distributing BazaLoader came up with a new way to trick website owners into clicking on a malicious link. In a series of attacks, they sent fake notifications about the site being used to launch distributed denial-of-service (DDoS) attacks.
The messages threatened with legal action and contained a link to a Google Drive folder with a document supposedly showing evidence of the attacks.
A DDoS theme is a variation of another one, a Digital Millennium Copyright Act (DMCA) infringement complaint, that was used to trick people into downloading a file that supposedly contained evidence of copyright infringement.
Brian Johnson, a website developer and designer, shared last week how his clients\s websites got hacked to run DDoS attacks. The message demanded that the recipients immediately clean their websites of the harmful files that were used to deploy the attacks.
“I have shared the log file with the recorded evidence that the attack is coming from [example.com] and also detailed guidelines on how to safely deal with, find and clean up all malicious files manually in order to eradicate the threat to our network,” reads the fake notification.
The email claims that the website’s owner could be responsible for up to $120,000 in damages.
The threat actor used Firebase links to push BazaLoader, a type of malware that is usually distributed via contact forms and drops Cobalt Strike. The scammer’s goal is to collect data or launch a ransomware attack.
In April, Microsoft warned about this method used by cybercriminals to deliver IcedID. At the time, only the lure and the payload were different.
It was Matthew Mesa, a security researcher at Proofpoint, who discovered that the campaign is sending out phishing emails that drop the BazaLoader malware.
These types of fake alerts are very convincing and can increase the chances of getting a “safe” mark from email security tools.
It is important to be vigilant and look for signs of malicious intent, such as incomplete contact information, poor grammar, suspicious links, etc.