Is BazarLoader malware linked to Trickbot operators?

Pierluigi Paganini April 18, 2021

Experts warn of malware campaigns delivering the BazarLoader malware abusing popular collaboration tools like Slack and BaseCamp.

Since January, researchers observed malware campaigns delivering the BazarLoader malware abusing popular collaboration tools like Slack and BaseCamp. The campaigns aimed at employees of large organizations, the messages attempt to trick the victims that they contain important information relating to payroll, contracts, invoices, or customer service inquiries. 

At least in one campaign, threat actors also contacted the victims via phone as part of the attack chain

The BazarLoader malware is a downloader written in C++ that has been active at least since 2020, it was also used by Ryuk operators to gain a foothold in the target networks and then deploy the Ryuk ransomware.

“When a target was convinced to open the documents tied to the spam email, their computer quickly became infected with BazarLoader, which itself acts primarily as a delivery mechanism for other malware.” reads the analysis published by Sophos. “With a focus on targets in large enterprises, BazarLoader could potentially be used to mount a subsequent ransomware attack.”

BazarLoader message

Sophos researchers observed a spam sample that attempted to disguise itself as a notification that the employee had been laid off from their job.

The phishing messages include links pointing to Slack or BaseCamp cloud storage, for this reason, they don’t raise suspicion when are received by employees working at an organization that uses the above services.

The URL could be also obfuscated by using a URL shortening service to hide the fact that it points to a file with an .exe extension.

Upon clicking on the link, the BazarLoader malware will be download and executed on the victim’s machine.

Most of the links used in the campaign point directly to a digitally signed executable with an Adobe PDF graphic as its icon. Some of the files’ names observed by the experts are presentation-document.exe, preview-document-[number].exe or annualreport.exe.

Once executed the executable, it will inject a DLL payload into a legitimate process, such as the Windows command shell, cmd.exe.

“The malware, only running in memory, cannot be detected by an endpoint protection tool’s scans of the filesystem, as it never gets written to the filesystem. The files themselves don’t even use a legitimate .dll file suffix because Windows doesn’t seem to care that they have one; The OS runs the files regardless.” continues the analysis.

The second campaign, tracked as BazarCall campaign, began in February employs messages claiming that a free trial for an online service the recipient purportedly is currently using will expire in the following days and instruct the recipient into calling an embedded telephone number to opt-out of an expensive paid renewal.

Any way the messages don’t raise suspicion because they don’t include personal information, and don’t contain link and attachment files.

The website has a professional look and instructs the visitors into clicking a button to unsubscribe, then an Office document is provided that once opened starts the infection process.

“In this later form of attack, only people who called the telephone number were given a URL, and instructed to visit the website where they could unsubscribe from these notifications. The well-designed and professional looking websites bury an “unsubscribe” button in a page of frequently asked questions. Clicking that button delivers a malicious Office document (either a Word doc or an Excel spreadsheet) that, when opened, infects the computer with the same BazarLoader malware.” continues the analysis.

Researchers speculate both campaigns are associated with the same threat actors which are believed to be developed by the TrickBot operators.

The two samples of BazarLoader malware employed in the campaign use the same TrickBot infrastructure for command and control.

BazarLoader is not sophisticated, experts believe it is in an early stage of development.

“While early versions of the malware were not obfuscated, more recent samples appear to encrypt the strings that might reveal the malware’s intended use. BazarLoader appears to be in an early stage of development and isn’t as sophisticated as more mature families like Trickbot, but does seem to share some intriguing details in common.” concludes the report.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, BazarLoader malware)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment