The BazarLoader malware operators are using unique social-engineering techniques to target enterprise victims on Slack and BaseCamp. Attackers send links to malware payloads in email messages, Sophos researchers said.
BazarLoader is a downloader, written in C++, first observed in the wild last April. Recently, it has been used to deliver ransomware, particularly Ryuk.
Sophos issued an advisory on Thursday saying that BazarLoader operators are targeting employees at large enterprises, could potentially use the downloader to stage a subsequent ransomware attack.
According to Sophos researchers, in the first campaign spotted, attackers send emails that purport to offer important information related to contracts, customer service, invoices, or payments.
“One spam sample even attempted to disguise itself as a notification that the employee had been laid off from their job,” Sophos researchers wrote.
The emails contain links hosted on Slack or BaseCamp cloud storage.
“The attackers prominently displayed the URL pointing to one of these well-known legitimate websites in the body of the document, lending it a veneer of credibility,” researchers said.
To hide that the link points to a file with an .EXE extension, the URLs were further obfuscated with the help of a URL shortening service.
Upon clicking on the link, the victim’s machine downloads and executes BazarLoader. The executable has an Adobe PDF icon. These executable files inject a DLL payload into a system process, such as the Windows command shell.
“The malware, only running in memory, cannot be detected by an endpoint protection tool’s scans of the filesystem, as it never gets written to the filesystem,” explained researchers. “The files themselves don’t even use a legitimate .DLL file suffix because Windows doesn’t seem to care that they have one; The OS runs the files regardless.”
Sophos suspect that BazarLoader is operated or authored by the TrickBot operators since both malware types share some of the infrastructure for command and control.
“From what we could tell, the [BazarLoader] malware binaries running in the lab network bear no resemblance to TrickBot,” according to the posting. “But they did communicate with an IP address that has been used in common, historically, by both malware families. Of course, a lot of people have studied this connection in the past.”