A new phishing attack has been found being leveraged by threat actors via a specially modified CSV text file to infect targeted devices with the BazarLoader trojan. More than a hundred non-sandbox corporations and government entities have suffered from the effect caused by this new phishing campaign.
According to researchers, the phishing emails impersonate a Payment Remittance Advice functionality with links to remote sites downloading a malicious CSV file tracked as 21966[.]csv. The corrupt CSV file is a text document with columns of data separated by commas and columns with a WMIC call that activates a PowerShell command.
In this recent campaign, the DDE or Dynamic Data Exchange function utilised a WMIC to develop a PowerShell method that accesses a remote URL attached with another PowerShell command triggered by the threat actors.
The remote PowerShell script command downloads an image coded as “picture[.]jpg file” and saves it as a DLL file written as 87764675478[.]dll. The DLL file will install the BazarLoader and distributes the BazarBackdoor and other payloads to the targeted devices.
The CSV file of the BazarLoader campaign also includes MS Excel in their phishing campaign.
If the target opens the BazarLoader’s compromised CSV file on MS Excel, the targeted program will then identify the file as a security concern. However, the campaign process will continue by displaying a notification stating, “enable automatic update of links.”
Once the target user enables the notification’s feature, the MS Excel will still show another prompt that validates if the WMIC can access the remote data. Therefore, if the target allows the two prompts mentioned above, the Excel will activate the PowerShell scripts that download the DLL file, finishing installing the BazarBackdoor.
The BazarLoader is a hostile threat that allows the threat actors access to systems inside a corporate network. Organisations should stay alert of this threat and the associated cyberattack strategies.
Cybersecurity experts suggest installing reliable AV solutions and providing comprehensive training to their employees to spot phishing emails.
