Company website contact forms used to spread BazarBackdoor malware

The BazarBackdoor stealth malware now spreads via website contact forms rather than typical phishing emails to evade detection by security software.

BazarBackdoor is a stealth backdoor malware created by the TrickBot group and is currently being developed by the Conti ransomware operation. This malware provides threat actors with remote access to an internal device that can be used as a launching pad for further lateral movements within a network.

BazarBackdoor malware is usually spread through phishing emails that contain malicious documents that download and install the malware.

However, as secure email gateways have become more effective at detecting these malware droppers, distributors are turning to new ways to deliver malware.

Contact forms replacing emails

In a new report from Abnormal Securityanalysts explain that a new distribution campaign launched in December 2021 targets victimized companies with BazarBackdoor, with the likely aim of deploying Cobalt Strike or ransomware payloads.

Instead of sending phishing emails to targets, threat actors first use corporate contact forms to initiate communication.

For example, in one of the cases seen by Abnormal analysts, the threat actors posed as employees of a Canadian construction company that submitted a request for a quote to supply products.

After the employee responds to the phishing email, the attackers return a malicious ISO file that is supposedly relevant to the negotiation.

Since sending these files directly is impossible or would trigger security alerts, threat actors use file sharing services like TransferNow and WeTransfer as discussed below.

Phishing message pointing to malicious file download
Phishing message pointing to malicious file download (abnormal security)

We reported a similar case of contact form abuse in August, where bogus DMCA infringement notices sent via contact forms installed BazarBackdoor.

In April 2021, we also reported a phishing campaign using contact forms to distribute the IcedID banking Trojan and Cobalt Strike beacons.

Hide BazaarLoader

The ISO archive attachment contains a .lnk file and a .log file. The idea here is to evade AV detection by packing the payloads into the archive and requiring the user to manually extract them after downloading.

The .lnk file contains a command statement that opens a terminal window using existing Windows binaries and loads the .log file, which is actually a BazarBackdoor DLL.

BazarLoader executable appearing as a .log file
BazarLoader executable appearing as a .log file (abnormal security)

When the backdoor is loaded, it will be injected into the svchost.exe process and contact the command and control (C2) server to receive commands to execute.

Because many C2 IP addresses were offline at the time of Abnormal’s analysis, researchers were unable to retrieve the second stage payload, so the ultimate goal of this campaign remains unknown.

Comments are closed.