Threat actors execute fake legal threats to drop BazaLoader malware and commit data theft

September 1, 2021
BazaLoader Malware Fake Legal Threats Scam Actor

A brand new cyberattack scam has been invented by cybercriminals recently. They bait their targets, specifically several website owners, into accessing an infected file by sending them fake alerts and notifications saying their website is currently experiencing a DDoS attack or attack distributed denial-of-service. If the website owner opens the message sent by the threat actors, it would include a supposed warning of legal threat and a file from a folder in Google Drive, which contains strong evidence about the attack’s source. The file also contains the Bazaloader malware.


The execution of the fake legal threats 

Another tactic that threat actors execute is a fake Digital Millennium Copyright Act (DMCA) infringement complaint that connects to a file that contains evidence about stolen images. This tactic is another variation of the DDoS theme.  


BazaLoader is malware that offers backdoor entrance to a Windows host that’s already been infected.


How the attackers perform the infection is by using Firebase URLs to push BazaLoader. Then, the attackers will employ contact forms to deliver the BazaLoader malware, which will then drop the Cobalt Strike. The whole process can lead to data theft or a ransomware attack. 

Around April this year, Microsoft warned businesses about this kind of attack tactic, specifically when an IcedID malware was delivered by the threat actors. This time, the payload and the lure have changed but not the entire process of how attackers operate. 

Recently this week, a website developer and designer Brian Johnson have reported that two of his partners have received unexpected alerts concerning a hack that involves running DDoS attacks versus the huge companies Intuit and Hubspot. The senders of this fake legal threat have been warned to perform legal action lest the unaware victims will not quickly clean the malicious files from their website, which has allegedly been supported with the deployment of the DDoS attack. 

There is also an enclosed link from Google Drive, which states to comprise of fake evidence for the origin of the said DDoS attack. 


Victims’ website contact form being used as means to send the messages 

According to some cybersecurity researchers, the fake legal threat messages were sent via the target website’s contact form, considering that most website owners have had that portion in their websites ever since. The attackers will then aim to deliver the BazaLoader malware from a Google site. Additionally, this tactic is another form of copyright infringement theme scam that operates typically by sending messages to a victim’s website contact form. 

They have advised website owners who are prone to these attacks to look for the most obvious signs of a false legal threat attack, such as incorrect grammar, incomplete contact information, and enclosure of suspicious links. 

About the author

Leave a Reply