Researchers at Cofense detected a new phishing campaign in which attackers use a multi-compression technique to trick users into downloading fake image files.
The multi-compression method, aka nested archive method, is a commonly used technique to trick email security tools into marking infected attachments as clean and legitimate. The technique is not new, but it recently gained popularity. This method works by storing an archive within another, and thus, Cofense says, it can fool some secure email gateways (SEGs) that are limited in how deep they check a compressed file.
The campaign, which involved deploying BazarBackdoor, started earlier this month and targeted enterprise recipients with an environmental theme.
BazarBackdoor is Trickbot’s Trojan that, once installed, deploys a network-compromising toolkit and provides remote access for the threat actors.
Cofense says attackers used various nested archive types because “it has the chance of hitting the SEG’s decompression limit or fails because of an unknown archive type.”
Obfuscated files can also trick security detections if there are have multiple layers of encryption in archives.
Once deployed, BazarBackdoor can download Cobalt Strike, a popular network testing tool among hackers and pentesters alike, which attackers used to execute arbitrary code and to move laterally in the environment.
After gaining access to high-profile victims’ systems, threat actors could launch ransomware attacks, sell access to other criminals and steal sensitive information.