While reports were coming in of hackers using company forms to trick employees to download a variant of BazarLoader malware, Sectrio’s research team has come across another method that hackers are using to push this malware.
What is BazarLoader?
It is a very stealthy and sophisticated malware that serves as the level one infector to drop multiple payloads. Since it serves to push for multiple malware payloads once installed, it is a much sought out malware among hackers. It is by design a highly resilient and complex malware that has been used extensively in multiple campaigns including those associated with Ryuk and Conti.
BazarLoader utilizes the EmerDNS domain name and record system which is based on blockchain. This renders it safe from any form of censorship and modification from non-author entities. So, shutting the associated domains is a tough proposition.
Since the last few weeks, security teams have been discussing hackers using company forms to push infected links. WeTransfer, TransferNow, and in some instances even Dropbox links were being used to transfer a .ISO file with a .LNK shortcut and a masked DLL file after the hacker established a line of communication with the purported victim.
Sectrio’s researchers intercepted an email earlier today that claimed to be coming from a prominent software review site. A look at the email address revealed that it was from another domain altogether and was being pushed through many server loops to improve its authenticity. On clicking any link, the attack chain is activated with the download of an .ISO file with the shortcut and the masked DLL file.
Since this email was targeting a team that would usually be interested in such communication, this was likely a targeted attack through a spoofed ID.
Such variation in phishing methods within just a couple of weeks indicates that hackers are working hard to improvise their tactics to push BazarLoader.
For more informational content, subscribe to our weekly updates and stay tuned with updates from Sectrio.
Try our rich OT and IoT-focused cyber threat intelligence feeds for free, here: IoT and OT Focused Cyber Threat Intelligence
Planning to upgrade your cybersecurity measures? Talk to our IoT and OT security experts here: Reach out to sectrio.