Attackers are filling out companies' online contact forms, and pretending to be a potential customer in order to gain their trust, before attempting to infect them with the BazarLoader malware.
Researchers observed campaigns as recently as this week where the attackers posed as employees of a Canadian luxury construction company looking for a quote for a product from the target. The attackers first “attempted to improve their credibility” by contacting the targets via their online forms. Then, during the follow-up correspondence attackers used emails with spoofed domains (with the top-level domain changed from .com to .us) that impersonate a known business.
This well-known tactic is effective because the use of contact forms disguises the communication as a seemingly legitimate request, which may not be as obvious as phishing emails that merely send malicious files and raise red flags from the start. It also circumvents potential email defenses, as the initial request does not contain any malicious content, said researchers.
“Once the contact form request has been submitted by the attacker, they simply wait until someone at the target company reaches out to them to follow up,” said Belem Regalado and Rachelle Chouinard, researchers with Abnormal Security in an analysis this week. “From the perspective of an email system, the target company is initiating conversation with the attacker rather than the other way around.”
After the target followed up, attackers continued to communicate project negotiations with them before eventually convincing them to download a malicious .iso file, via file sharing services like TransferNow or WeTransfer, which eventually downloaded BazarLoader.
“Often this involved some level of social engineering to find a download method not blocked by the victim’s security protocols, without arousing their suspicion,” said researchers.
While researchers could not confirm the next steps of the attack after victims were initially infected with the dropper, they noted that BazarLoader is typically used as first-stage malware in a more sophisticated, multi-stage malware attack, with attackers often deploying the Conti ransomware or Cobalt Strike in the next phase. BazarLoader also has several capabilities that enable ransomware affiliates to conduct reconnaissance, including the ability to root out decoy systems or analysis and sandbox environments.
“These tools, used separately or in conjunction, help threat actors penetrate networks,” said researchers. “At that point, the possibilities for chaos are myriad. Consequences range from unauthorized payments and fund dispersals to total system shutdown and even persistent long-term network intrusion.”
The Windows-based malware has previously typically been spread through various methods involving email, and provides backdoor access for cybercriminals to victims’ environments. Starting last year researchers observed BazarLoader campaigns using these customer inquiry forms using “attention-seeking themes to garner artificial urgency,” such as threatening legal action for copyright violations.
Attackers distributing the BazarLoader malware have used a number of different additional delivery methods, including the use of compromised software installers and the abuse of .iso files. Previously, BazarLoader attackers also relied on a unique delivery mechanism that researchers with Proofpoint said they observed since February, which leveraged a combination of emails and phone-based “customer service representatives” for carrying out attacks. Here, spam emails instructed victims to call a phone number, which led to an attacker-controlled call center that gave victims a URL and directed them to download a malicious file.