Posted on April 17, 2021 at 7:58 PM
Security researchers at Sophos have discovered two malicious spam campaigns that started this year. They started targeting remote workers in top companies with accounts on the BaseCamp and Slack websites to host the malware and deliver payloads.
The second hacking campaign tells their victims they will be charged for an online service and tell them to call a number where they will be given a weblink that directs them to the malware.
The attackers target BaseCamp and Slack users, with their company’s name embedded in the message.
According to Sophos, the attackers claimed the messages have vital information containing customer service inquiries, invoices, contracts, payroll, and even layoff notification in some cases.
The second spyware campaign is called “BazarCall”, and the threat actors added a voice-call element to the attack chain.
It functions by downloading and executing additional modules. The first observation of BazarLoader was in April last year, but Sophos has observed 6 additional variants since then, which signals active and continued development. Recently, it was utilized by the Ryuk group as staging malware.
BazarLoader could potentially be used to mount a subsequent ransomware attack,” according to Sophos’ security advisory.
BazarLoader linked to TrickBot operators
According to the information available to the researchers, the BarzarLoader malware could be authored or related to the TrickBot operators.
Both the TrickBot and BazarLoader malware use some of the tools for command and control, as the Sophos researchers have observed. A spam sample disguised itself as a notification that the worker has been laid off from his job.
The links in the email were hosted on the BaseCamp or Slack cloud storage, which means they could seem to be genuine if their target works at an organization that makes use of one of the platforms.
The threat actors showed the URL linking to one of the genuine websites in the document’s body, which lends it some level of credibility. Sophos revealed that the URLs may be obscured via the use of a URL shortening service
The malware is not easily detected
When the user clicks on the malicious link, they will be unknowingly downloading the BazarLoader malware, which automatically executes in the target’s system. The link points directly to Adobe PDF graphics, signed digitally as an icon, and perpetuating the ruse with names such as the preview-document and presentation-document.exe.
When the executable files are run, they plant a DLL payload in the legitimate process, such as cmd.exe and Windows command shell.
Another worrying thing is the fact that the malware cannot be detected by the scans in the endpoint protection tool. This is because it does not get written to a filesystem. Additionally, the files do not utilize a genuine .DLL file suffix.
The second malware campaign does not leave anything suspicious, which makes them very difficult to detect. There is no file attachment, no link, personal information, or any type included in the message’s body.
According to the message, it offers a free service for an online service and tells the recipient that the service will expire the next day
The hackers provide the professional-looking website that buries an unsubscribe button in its FAQ section.
This is where the campaign group exercises their operation, as the BazarLoader is planted via an official document in the victim’s system.
The message purportedly comes from a company known as Medical Reminder Service, with a telephone number embedded on the body of the message. There is also a street address for an office building based in Log Angeles.
However, last month the messages added a bogus online lending library known as BookPoint.
The subject line revolved around BookPoint, with a long code or number reference for users who want to unsubscribe.
The attackers have been very effective when it comes to the potency of the attack. That’s because, according to Sophos, they invoke commands that execute more payload DLLs.