BazarBackdoor exploits the website contact forms of numerous companies

March 25, 2022
BazarBackdoor Exploits Website Contact Forms Malicious Script Malware

Researchers have noticed that the BazarBackdoor spreads itself through website contact forms to avoid security detections from cybersecurity software elusively. The BazarBackdoor is designed by the TrickBot group and has been on a rampage for quite some time.

Based on reports, the recent spread of the backdoor attack was active from December last year to the first month of 2022, with the campaign actively targeting corporate employees.

This recent attack aims to launch Cobalt Strike to their targets by utilizing a corporate website contact form, where they spoof a Canadian construction company staff requesting a product supply quote. The researcher noted that this is just one of many cases companies are currently experiencing.

 

After a website administrator responds to the quotation request from their website contact forms, the threat actors will send a malicious ISO file attachment via email, which will play a crucial role in the attack and negotiation.

 

Furthermore, the threat actors use a file-sharing service known as TransferNow to send malicious files and avoid security alerts. They also use WeTransfer for the same purpose.

Based on the analysis of the recent samples of BazarBackdoor, the threat actors used an ISO archive attachment with an [.]Ink file and a [.]log file to bypass anti-malware detection. The threat actors can effectively use these files by adding payloads into an archive, and then users may manually decrypt them after download.

The [.]Ink file has a series of commands that activates a terminal window utilising the present Windows binaries. Then it will load the [.]log file, which is a BazarBackdoor DLL.

Subsequently, it is infected by the file inside the svchost[.]exe process and communicate with the command-and-control server to receive further instructions for the operation.

The threat actors operating the BazarBackdoor are abusing contact forms to create credibility and authenticity of their attacks. Experts suggest that website admins should be sharp in identifying these emails and stay alert whenever receiving suspicious emails from sketchy sources.

About the author

Leave a Reply