Researchers at Cofense detected a new phishing campaign in which attackers use a multi-compression technique to trick users into downloading fake image files.
The multi-compression method, aka nested archive method, is a commonly used technique to trick email security tools into marking infected attachments as clean and legitimate. The technique is not new, but it recently gained popularity. This method works by storing an archive within another, and thus, Cofense says, it can fool some secure email gateways (SEGs) that are limited in how deep they check a compressed file.
The campaign, which involved deploying BazarBackdoor, started earlier this month and targeted enterprise recipients with an environmental theme.
BazarBackdoor is Trickbot’s Trojan that, once installed, deploys a network-compromising toolkit and provides remote access for the threat actors.
A malicious JavaScript file that was used to deliver the malware was secretly built into ZIP and RAR archive packages. The file downloaded a payload that included a file with an image extension.
Cofense says attackers used various nested archive types because “it has the chance of hitting the SEG’s decompression limit or fails because of an unknown archive type.”
Obfuscated files can also trick security detections if there are have multiple layers of encryption in archives.
“Once executed, the obfuscated JavaScript would download a [BazarBackdoor] payload with a .png extension via an HTTP GET connection,” Cofense said explaining that the payload is an executable with the wrong extension.
Once deployed, BazarBackdoor can download Cobalt Strike, a popular network testing tool among hackers and pentesters alike, which attackers used to execute arbitrary code and to move laterally in the environment.
After gaining access to high-profile victims’ systems, threat actors could launch ransomware attacks, sell access to other criminals and steal sensitive information.