The BazarLoader malware is leveraging worker trust in collaboration tools like Slack and BaseCamp, in email messages with links to malware payloads, researchers said.
And in a secondary campaign aimed at consumers, the attackers have added a voice-call element to the attack chain.
The BazarLoader downloader, written in C++, has the primary function of downloading and executing additional modules. BazarLoader was first observed in the wild last April – and since then researchers have observed at least six variants, “signaling active and continued development.”
It’s been recently seen being used as a staging malware for ransomware, particularly Ryuk.
“With a focus on targets in large enterprises, BazarLoader could potentially be used to mount a subsequent ransomware attack,” according to an advisory from Sophos, issued on Thursday.
Cyberattackers Abuse Slack and BaseCamp
According to researchers at Sophos, in the first campaign spotted, adversaries are targeting employees of large organizations with emails that purport to offer important information related to contracts, customer service, invoices or payroll.
“One spam sample even attempted to disguise itself as a notification that the employee had been laid off from their job,” according to Sophos.
The links inside the emails are hosted on Slack or BaseCamp cloud storage, meaning that they could appear to be legitimate if a target works at an organization that uses one of those platforms. In an era of remote working, those odds are good that this is the case.
“The attackers prominently displayed the URL pointing to one of these well-known legitimate websites in the body of the document, lending it a veneer of credibility,” researchers said. “The URL might then be further obfuscated through the use of a URL shortening service, to make it less obvious the link points to a file with an .EXE extension.”
If a target clicks on the link, BazarLoader downloads and executes on the victim’s machine. The links typically point directly to a digitally signed executable with an Adobe PDF graphic as its icon. The files usually perpetuate the ruse, with names like presentation-document.exe, preview-document-[number].exe or annualreport.exe, researchers noted.
These executable files, when run, inject a DLL payload into a legitimate process, such as the Windows command shell, cmd.exe.
“The malware, only running in memory, cannot be detected by an endpoint protection tool’s scans of the filesystem, as it never gets written to the filesystem,” explained researchers. “The files themselves don’t even use a legitimate .DLL file suffix because Windows doesn’t seem to care that they have one; The OS runs the files regardless.”
In the second campaign, Sophos found that the spam messages are devoid of anything suspicious: There’s no personal information of any kind included in the body of the email, no link and no file attachment.
“All the message claims is that a free trial for an online service the recipient purportedly is currently using will expire in the following day or two, and embeds a telephone number the recipient needs to call in order to opt-out of an expensive, paid renewal,” researchers explained.
If a target decides to pick up the phone, a friendly person on the other side gives them a website address where the soon-to-be-victim could supposedly unsubscribe from the service.
“The well-designed and professional looking websites bury an unsubscribe button in a page of frequently asked questions,” according to Sophos. “Clicking that button delivers a malicious Office document (either a Word doc or an Excel spreadsheet) that, when opened, infects the computer with the same BazarLoader malware.”
The messages initially claimed to originate from a company called Medical Reminder Service, and include a telephone number in the message body, as well as a street address for a real office building located in Los Angeles. But in mid-April, the messages adopted a lure involving a fake paid online lending library, called BookPoint.
The subject lines revolving around BookPoint also reference a long number or code, which users are asked to input in order to “unsubscribe.”
In terms of the infection routine, the attackers in these so-called “BazarCall” campaigns deliver weaponized Microsoft Office documents that invoke commands to drop and execute one or more payload DLLs.
Connection to Trickbot?
Researchers have been suspecting that BazarLoader could be related or authored by the TrickBot operators. TrickBot is another first-stage loader malware often used in ransomware campaigns.
Sophos looked into the connection and found that the two malwares use some of the same infrastructure for command and control.
“From what we could tell, the [BazarLoader] malware binaries running in the lab network bear no resemblance to TrickBot,” according to the posting. “But they did communicate with an IP address that has been used in common, historically, by both malware families. Of course, a lot of people have studied this connection in the past.”
In any event, BazarLoader appears to be in an early stage of development and isn’t as sophisticated as more mature families like TrickBot, researchers added.
For instance, “while early versions of the malware were not obfuscated, more recent samples appear to encrypt the strings that might reveal the malware’s intended use,” they said.
Ever wonder what goes on in underground cybercrime forums? Find out on April 21 at 2 p.m. ET during a FREE Threatpost event, “Underground Markets: A Tour of the Dark Economy.” Experts from Digital Shadows (Austin Merritt), Malwarebytes (Adam Kujawa) and Sift (Kevin Lee) will take you on a guided tour of the Dark Web, including what’s for sale, how much it costs, how hackers work together and the latest tools available for hackers. Register here for the Wed., April 21 LIVE event.