The sophisticated BazarBackdoor malware is now being delivered using website contact forms rather than traditional phishing emails to avoid detection by security software. The TrickBot gang built BazarBackdoor, a stealthy backdoor trojan that the Conti ransomware group is presently developing. This malware grants threat actors remote access to an internal device, which may be exploited as a launching pad for lateral network movement.
The BazarBackdoor malware is often distributed using phishing emails that contain malicious documents that download and install the malware. However, since secure email gateways have improved their detection of malware droppers, malware distributors are turning to other distribution methods.
According to a recent report by Abnormal Security, a new distribution campaign targeting business victims using BazarBackdoor began in December 2021, with the likely intention of releasing Cobalt Strike or ransomware payloads. Threat actors employ company contact forms to establish dialogue rather than sending phishing emails to their targets.
The threat actors, for example, pretended to be workers of a Canadian construction business that requested a product supply quote in one of the incidents reviewed by Abnormal’s analysts. Following the employee’s response to the phishing email, the attackers reply with a malicious ISO file ostensibly related to the negotiation.
Threat actors employ file-sharing platforms like TransferNow and WeTransfer because transmitting these files directly is difficult or would raise security alarms. In August, a similar incidence of contact form misuse occurred, in which fraudulent DMCA infringement complaints were being used to install BazarBackdoor through contact forms. A phishing attempt employing contact forms to transmit the IcedID banking malware and Cobalt Strike beacons was also discovered in April 2021.
A .lnk file and a .log file are included in the ISO archive attached. The objective is to avoid AV detection by encrypting the payloads and having the user manually extract them after downloading. The .lnk file includes a command instruction that loads the.log file, a BazarBackdoor DLL, and opens a terminal session using existing Windows binaries.
The backdoor will be inserted into the svchost.exe process and communicated with the command and control (C2) server to accept directives to execute. The researchers could not collect the second-stage payload since many of the C2 IPs were unavailable during Abnormal’s investigation; hence the campaign’s final purpose remains unclear.