Go to listing page

Watch Out! BazarBackdoor is Abusing Website Contact Forms

Watch Out! BazarBackdoor is Abusing Website Contact Forms
BazarBackdoor is observed spreading via website contact forms to avoid detection by security software. The backdoor malware is developed by the TrickBot group and has been under active development for some time.

The campaign

According to Abnormal Security, the recent distribution campaign was active between December 2021 and January 2022, targeting corporate victims with BazarBackdoor. The aim was to deploy ransomware or Cobalt Strike.
  • In one of the cases, the attackers used a corporate contact form on the website, where they posed as employees of a Canadian construction firm requesting a product supply quote.
  • After a company representative responds with the quotation, the attackers send back a malicious ISO file attachment in an email, meant to be relevant for the negotiation.
  • To avoid any possible security alerts, the attackers used file-sharing services TransferNow and WeTransfer to send these malicious files.

The use of .lnk file

The ISO archive attachment has a .lnk file and a .log file to avoid anti-malware detection by adding the payloads into an archive and the user may manually extract them after being downloaded.
  • The .lnk file has a command instruction that opens a terminal window using the existing Windows binaries. It, subsequently, loads the .log file, which is actually a BazarBackdoor DLL.
  • After being loaded, it is injected inside the svchost[.]exe process and contacts the C2 server to receive commands for execution.

Concluding notes

The attackers behind BazarBackdoor are using contact forms to improve the credibility and legitimacy of their attacks. Website admins are suggested to stay alert whenever receiving suspicious emails from unknown sources.
Cyware Publisher

Publisher

Cyware