A new phishing campaign has been spotted using specially crafted CSV text files to infect targeted devices with malware. The installed malware is the BazarBackdoor or BazarLoader trojan.

The use of CSV files

In the past two days, researchers have spotted 102 actual non-sandbox corporations, along with government victims.
  • The phishing campaign was spotted by a security researcher where the phishing emails pretend to be Payment Remittance Advice, with links to remote sites downloading a CSV file, document-21966[.]csv.
  • The document-21966[.]csv file is just a text file with columns of data separated by commas and one of the data columns has an odd WMIC call that executes a PowerShell command. 
  • In this particular campaign, the Dynamic Data Exchange function (DDE) used WMIC to create a new PowerShell process that opens a remote URL laden with another PowerShell command that is executed as well.
  • The remote PowerShell script command downloads a picture[.]jpg file and saves it as 87764675478[.]dll. The DLL file installs BazarLoader and deploys BazarBackdoor and other payloads.

Additional insights

Whenever the CSV file is opened in Excel, the program spots the DDE call and displays a dialogue box, ‘enable automatic update of links,’ to the users that flagged as a security concern.
  • Even if a user enables the feature, Excel will show another prompt confirming if WMIC is allowed to access the remote data.
  • If a user allows both prompts, Excel executes the PowerShell scripts that download the DLL, and BazarBackdoor is installed.


BazarBackdoor is a dangerous threat that provides threat actors access to systems inside corporate networks. Thus, organizations should stay aware of this threat and the associated attack techniques. Moreover, experts recommend installing reliable anti-malware solutions and providing training to employees for identifying phishing emails.

Cyware Publisher