BazarBackdoor malware is now distributed not through phishing emails, but through feedback forms on websites, which allows it to more effectively bypass detection by antivirus solutions.
BazarBackdoor is a hidden backdoor created by the TrickBot cybercrime group and currently used in Conti’s cyber ransomware operations. The malware provides attackers with remote access to the internal device, which can be used as a launching pad for further movement through the victim’s network.
As a rule, BazarBackdoor was distributed through phishing emails with a malicious attachment that downloaded and installed malware on the attacked system. However, filters in email services are becoming more and more effective in detecting malicious uploaders, so cybercriminals have found a new way to spread.
As experts from Abnormal Security explained, the new BazarBackdoor distribution campaign began in December 2021 and is aimed at corporate users. Probably, the purpose of the infection is the deployment of Cobalt Strike or ransomware in their networks.
Instead of sending phishing emails, attackers now use a feedback form on corporate websites. In one of the cases studied by the researchers, hackers posed as employees of a Canadian construction company who applied for the purchase of materials.
When the employee responded to the phishing email, the attackers sent a malicious ISO file in response, allegedly related to the order.
Since sending the file directly would trigger an antivirus solution, hackers used a file-sharing service.
The ISO archive contained .lnk and .log files. The idea was to bypass antivirus solutions by packing the payload into an archive so that the user would unzip it manually.
The .lnk file contains an instruction that opens a terminal window using Windows binary codes and loads a .log file, which is actually a BazarBackdoor DLL. After downloading, the backdoor is embedded in the process svchost.exe and connects to the C&C server to receive further commands.