Compromised Installers And ISO Now Included in BazarLoader's Arrival and Delivery Vectors

Compromised Installers And ISO Now Included in BazarLoader’s Arrival and Delivery Vectors

While InfoSec forums have reported an increase in BazarLoader detections in the third quarter, two new arrival methods have been added to the list of delivery mechanisms that bad actors have employed for data theft and ransomware.

Malicious actors’ pack BazarLoader with genuine products. Hence, one of the attacking approaches is using corrupted software installations. The second approach includes loading a Windows link (LNK) and dynamic link library (DLL) payload into an ISO file. It has been discovered that the Americas have the largest number of attacks employing BazarLoader.

The corrupted versions of VLC and TeamViewer software included with BazarLoader were reportedly discovered by researchers. While the original delivery mechanism has yet to be found, it’s conceivable that the usage of these packages is part of a larger social engineering scheme to trick people into downloading and installing infected installers.

When the installers load, a BazarLoader executable is dropped and executed. It is also one of the major distinctions from recent BazarLoader arrival techniques, which seemed to support dynamic link libraries (DLL).

Meanwhile, a distribution strategy based on ISO files has been discovered, in which DLL and LNK files included therein run the BazarLoader DLL. The LNK file employs a folder icon to trick the user into double-clicking it, allowing the file to launch the included BazarLoader DLL program. The export function used recently by BazarLoader – “EnterDLL”- is then called. Rundll32.exe launches the malicious DLL and connects with the C&C server before injecting itself into a suspended MS Edge process.

As threat actors change their attack techniques to avoid detection, the number of arrival mechanism modifications employed in BazarLoader campaigns continues to rise. However, due to the limits of single detection methods, both strategies are significant and still function despite their lack of novelty.

Furthermore, as service affiliates, the use of BazarLoader malware for first access is a well-known approach for current ransomware like Conti and Ryuk. In addition to these notable ransomware families adding more tools to their arsenal, other malware gangs and ransomware operators may also take up new ways.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.

Share: