BazarLoader Spreading through websites” contact forms (15th March 2022)

Ref# AL2022_16 | Date: Mar 15th 2022

Description

BazarLoader, a stealth and advanced malware that is used as a first-stage infector, is being propagated through a novel social engineering technique that is quite easy to fall for.

Summary

BazarLoader is designed to be stealthy and resilient and has previously been used in campaigns including malware such as TrickBot, Ryuk ransomware, and Conti ransomware, to mention a few. Once a machine has been infected, it will download and run further viruses. It is thought to have been created by the Trickbot gang.

The EmerDNS system is used by BazarLoader, which consists of a blockchain on which domain name records are entirely decentralized and uncensorable, as stated by Emercoin. This makes the virus extremely durable, as it can only be shut down by the person who has the domain”s blockchain private key.

The controllers of BazarLoader have produced new ways to propagate it and infect people over time. For example, they pretended to be a corporation whose free trial service would expire soon, and the recipient”s credit card would be debited within a day or two to pay for the subscription by sending emails with no links or attachments. The user had to call a fraudster-operated phone number to cancel the payment. They would then send the user a link to infect them. Because no link or file was supplied by email, this strategy is highly effective at avoiding threat detection. To infect their targets, they also employed hacked VLC and TeamViewer software installers.

How it works

The BazarLoader controllers have recently discovered a new unique approach to disseminate its malware and infect people, according to researchers at Abnormal.

Cybercriminals initiate contact with enterprises via their websites” contact forms in this new infecting strategy. Attackers pretend to be organizations interested in a product or service provided by their target. When the target responds via email, the attacker establishes his or her cover identity before employing social engineering techniques to convince the victim to download a malicious file that infects the machine with a BazarLoader malware version.

The downloaded file is not the usual .exe file or an infecting XLSX or DOCX file but an ISO image with two parts. The first is a .LNK file masquerading as a folder, while the second is a DLL file masquerading as a .LOG file. When the target clicks the shortcut, it sends a command to regsvr32.exe, which launches the second file. The second file is a BazarLoader  DLL file.

Remediation

Files coming from unknown sources should be handled with care and not executed immediately. Here are some steps that are useful in determining if the files are safe or not:

  • Have the file evaluated by a security tool that detects malware using more than just signatures.
  • If possible, have the file studied in a sandbox so that behavioral analysis can be performed alongside static analysis. The IT department or analysts with extensive malware knowledge should do this study.
  • If you are still not sure, open the file in a virtual machine with a snapshot system, which will allow you to restore the virtual machine to its pre-launch state once the file has been run and the analysis has been completed.
  • Always ensure that there is a trusted antivirus software installed on your computer with the latest updates installed.

The Guyana National CIRT recommends that users and administrations review this alert and apply it where necessary.

PDF Download: BazarLoader Spreading through websites” contact forms.pdf

References