BazaLoader affiliates continue using intricate infection chains and techniques to distribute the BazaLoader malware. BazaLoader is a downloader written in C++ and is used to download and implement extra modules. Now, the attackers have come up with a new tactic to lure users into opening malicious files.

What’s going on?

The messages contain fake alerts about the sites being involved in DDoS attacks. They contain a legal threat, along with a file in a Google Drive folder that reportedly offers evidence of the attack source. The DDoS lure is a variation of another lure - a DMCA infringement complaint that links to a file allegedly containing evidence about stolen images. The attackers used Firebase URLs to deploy the malware that, in turn, deploys Cobalt Strike. 

Why this matters

The notifications look legit and are pretty convincing. They abuse the legitimacy of contact form emails. This raises the opportunities of bypassing email security solutions. This recent BazaLoader threat is more dangerous because of its backdoor capabilities. The payloads deployed can gain hands-on-attack control over victims’ devices. Furthermore, the ransomware can be shared within 48 hours of the malware infection.   

Recent BazaLoader activities

  • A recent campaign was observed in which BazaLoader operators leveraged fake call centers to trick targets into downloading BazaLoader. 
  • The attackers were also spotted leveraging a movie subscription service and spreading BazarLoader via compromised Excel spreadsheets.

The bottom line

When you receive emails from unknown senders, be very vigilant. Do not directly call any number mentioned in the emails and instead investigate if you have any connection with the service or complaint mentioned. A good way to steer clear of this social engineering trap is to be cautious of incorrect grammar, questionable links, and incomplete contact information.

Cyware Publisher