BazarLoader Targets Enterprises With Slack, BaseCamp Hosted Files

BazarLoader Targets Enterprises With Slack, BaseCamp Hosted Files

The BazarLoader malware operators are using unique social-engineering techniques to target enterprise victims on Slack and BaseCamp. Attackers send links to malware payloads in email messages, Sophos researchers said.

BazarLoader is a downloader, written in C++, first observed in the wild last April. Recently, it has been used to deliver ransomware, particularly Ryuk.

Sophos issued an advisory on Thursday saying that BazarLoader operators are targeting employees at large enterprises, could potentially use the downloader to stage a subsequent ransomware attack.

According to Sophos researchers, in the first campaign spotted, attackers send emails that purport to offer important information related to contracts, customer service, invoices, or payments.

“One spam sample even attempted to disguise itself as a notification that the employee had been laid off from their job,” Sophos researchers wrote.

 The emails contain links hosted on Slack or BaseCamp cloud storage.

“The attackers prominently displayed the URL pointing to one of these well-known legitimate websites in the body of the document, lending it a veneer of credibility,” researchers said. 

To hide that the link points to a file with an .EXE extension, the URLs were further obfuscated with the help of a URL shortening service.

Upon clicking on the link, the victim’s machine downloads and executes BazarLoader. The executable has an Adobe PDF icon. These executable files inject a DLL payload into a system process, such as the Windows command shell.

“The malware, only running in memory, cannot be detected by an endpoint protection tool’s scans of the filesystem, as it never gets written to the filesystem,” explained researchers. “The files themselves don’t even use a legitimate .DLL file suffix because Windows doesn’t seem to care that they have one; The OS runs the files regardless.”

Sophos suspect that BazarLoader is operated or authored by the TrickBot operators since both malware types share some of the infrastructure for command and control.

“From what we could tell, the [BazarLoader] malware binaries running in the lab network bear no resemblance to TrickBot,” according to the posting. “But they did communicate with an IP address that has been used in common, historically, by both malware families. Of course, a lot of people have studied this connection in the past.”

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.