Researchers have observed the BazarLoader information stealer, known for providing initial access for various ransomware affiliates, expanding its delivery methods to now include the use of compromised software installers and the abuse of ISO files.
The loader, which was first observed in April 2020, primarily acts as a delivery mechanism for second-stage malware, including several high-profile ransomware families like Ryuk, Conti and Zeppelin. Over the past year, researchers have observed an increase in BazarLoader (along with Trickbot) deliveries, which they said have likely led to a corresponding increase in Conti ransomware attacks since June.
“The number of arrival mechanism variations used in BazarLoader campaigns continue to increase as threat actors diversify their attack patterns to evade detection,” said Ian Kenefick, threat analyst with Trend Micro, in a Tuesday analysis.
Previously, BazarLoader relied on a unique delivery mechanism that researchers with Proofpoint said they observed since February, which leveraged a combination of emails and phone-based “customer service representatives” for carrying out attacks. Here, spam emails instructed victims to call a phone number, which led to an attacker-controlled call center that gave victims a URL and directed them to download a malicious file. This tactic also helped attackers bypass email protection filters that would block out malicious links or attachments. Researchers with Palo Alto Network’s Unit 42 team in July also observed BazarLoader spread via a copyright violation-themed campaign using ZIP archives, and through English-language emails sent by the TA551 threat group.
In new attacks, which targeted victims in the Americas, researchers observed BazarLoader attackers expanding their delivery methods to use legitimate, compromised installers - versions of the VLC media player and TeamViewer remote access and remote control software - and convincing victims to download them. After these installers loaded, they dropped a BazarLoader executable, which is another notable difference from recent BazarLoader delivery methods that instead relied on dynamic link libraries (DLLs).
“While the initial delivery mechanism has yet to be identified, it’s possible that the use of these packages are part of a wider social engineering technique to deceive users into downloading and implementing the compromised installers,” said researchers.
“The number of arrival mechanism variations used in BazarLoader campaigns continue to increase as threat actors diversify their attack patterns to evade detection."
Another recently observed delivery method abused ISO files, archive files containing an identical copy (or image) of data found on an optical disc. Here, the abused ISO file would download a Windows link (LNK) and DLL payload. The LNK file used a folder icon on victims’ system in order to deceive them into clicking on the icon; once clicked, the enclosed BazarLoader DLL file would run. The DLL then called an export function previously used by BazarLoader, “EnterDLL,” to load a malicious DLL and communicate with the command-and-control (C2) server. This then spawned a suspended Microsoft Edge process to inject itself into it, said researchers.
While neither of these two techniques are novel, researchers said they indicate how BazarLoader is expanding its delivery capabilities in an effort to sidestep detection.
“For instance, while the use of compromised installers has been observed with other malware, the large file size can still challenge detection solutions — such as sandboxes — which may implement file size limits,” Kenefick said. “On the other hand, LNK files serving as shortcuts will also likely be obfuscated for the additional layers created between the shortcut and the malicious files itself.”
Researchers warn that the loader will continue to evolve, and stress that BazarLoader detections should be prioritized as ransomware attacks continue to pose a challenge to organizations. BazarLoader has several troubling capabilities allowing ransomware affiliates to conduct reconnaissance, including the ability to root out decoy systems or analysis and sandbox environments. Reconnaissance also helps ransomware operators filter infected environments to those more likely to yield a ransom payout.
“The deployment of BazarLoader malware for initial access is a known technique for modern ransomware such as Conti and Ryuk as service affiliates,” said researchers. “Aside from these known ransomware families including more tools for entry into their arsenal, other malware groups and ransomware operators may pick up on the additional means, if they have not already done so.”