With Valentine’s Day approaching this weekend, several people have received “recent order” email confirmations for flowers or lingerie. These emails are actually part of a spear-phishing attack, which ultimately leads recipients to a malicious document that executes the BazaLoader malware.
The BazaLoader downloader, written in C++, has the primary function of downloading and executing additional modules. BazaLoader was first observed in the wild in April – and since then researchers have observed at least six variants, “signaling active and continued development.”
Recently, researchers found multiple BazaLoader campaigns in January and February, which have relied heavily on human interaction with different sites, PDF attachments and email lures.
“There were a range of lure and subject topics, including compact storage devices, office supplies, pharmaceutical supplies and sports nutrition, but what stuck out were campaigns that were timely and relevant to the upcoming Valentine’s Day holiday,” said researchers with Proofpoint on Thursday. “The campaigns were spread across a diverse set of companies and sectors.”
Email Attack: ‘Ajour Lingerie’ Phishing Lure
One such recent email purported to be from Ajour Lingerie, a “high-quality online lingerie shop” based out of New York. The email told recipients that they have completed their order, and to check the invoice to confirm the price of their purchase.
A sample attachment with the purported “order.” Credit: Proofpoint
The attached PDF, labeled invoice_NI52224162K.pdf, is interestingly not malicious. It instead references a specific customer-order number and associated purchase items. In one example, the “order” totals $410.03, which may send email recipients into a panic.
The invoice also had a website link pretending to be that of Ajour Lingerie. However, the website (ajourlingerie[.]net) is different than the actual website for Ajour Lingerie (ajour.com).
The fake Ajour Lingerie website. Credit: Proofpoint
Attackers went into extreme detail to make the fake Ajour Lingerie website look real, from the logo down to the address.
“The websites the user would browse to are fake, but the actors took care to have the physical addresses…match a near-legitimate location,” said researchers. “For example, Ajour Lingerie is not located at 1133 50th St, Brooklyn, NY 11219, but this address is in physical proximity to a legitimate website and physical business called the Lingerie Shop.”
The website also had a “contact” page. If users visited this page, they were then given the option to enter the order number in the order ID. The contact page then redirected them to the landing page, which linked to an Excel sheet. That Excel sheet contained macros that, if enabled by the user, would download BazaLoader.
Email Lure: Flowers From ‘Rose World’
A second email used an almost-identical lure, only this time purporting to be from Rose World. This email also references an order from Rose World’s online store, and includes a PDF attachment outlining an order (in one case, totaling $104.58), with references to purchases at a fake Rose World website (roseworld.shop).
An example of an email pretending to be from Rose World. Credit: Proofpoint
“If the user visits the website, navigates to Contact Us, and enters the order number in the order ID, the site will redirect the user to a landing page,” said researchers. “This landing page links to and explains how to open the Excel sheet. The Excel sheet contains macros that, if enabled, will download BazaLoader.”
While researchers did not specify what malware gets loaded after this first-stage infection, BazaLoader has been noted for its code similarity to TrickBot, and has been associated with Ryuk ransomware infections.
BazaLoader: An Evolving Malware Loader
Researchers warned that they have observed “a steady growth” in actors using BazaLoader as a first-stage downloader. This uptick in BazaLoader distribution has run parallel to an active development of the loader, particularly during the month of October 2020. The most recent Valentine’s Day attack notably reflects an attack vector with an increase on human interaction.
“These recent BazaLoader campaigns exemplify affiliate actors leveraging a loader that is increasingly popular and more reliant on human interaction,” they said. “Further, the social engineering features rely on the timeliness of the Valentine’s Day holiday and the intrinsic user curiosity to see what they may have ordered.”
Cybercriminals Horn in on Valentine’s Day
Both lures are reflective of cybercriminals horning in on Valentine’s Day – which has been a popular phishing theme over the past years. Last February, a malicious email campaign aimed at iPhone owners tried to convince them to download a fake dating app. And, in 2018, researchers warned that Necurs botnet activity was spiking as scammers used the network to flood inboxes with promises of companionship, in part of a seasonal wave of Valentine’s Day-themed spam.
“Valentine’s Day, while not abused to the level of other holidays, presents an opportunity for a variety of actors,” said researchers with Proofpoint. “The FBI Boston field office has posted public warnings of romance scams. While this is not a romance scam, it is an example of social engineering, well-timed with the Valentine’s Day holiday.”
Is your small- to medium-sized business an easy mark for attackers?
Threatpost WEBINAR: Save your spot for “15 Cybersecurity Gaffes SMBs Make,” a FREE Threatpost webinar on Feb. 24 at 2 p.m. ET.Cybercriminals count on you making these mistakes, but our experts will help you lock down your small- to mid-sized business like it was a Fortune 100. Register NOW for this LIVE webinar on Wed., Feb. 24.
