New BazarBackdoor Attack Discovered

Written by

A security company has reported a new cyber-attack involving a malware family known as both BazarBackdoor and BazarLoader.

Researchers at SophosLabs came across the attack when it arrived in their inboxes. 

“Spamming a security company with a malicious email featuring a novel attack technique might not have been the best decision by the operators,” said Andrew Brandt, principal researcher at Sophos.

The threat actors behind the campaign use socially engineered emails to scare their targets into opening an attachment and clicking on a malicious link. 

Malware is then delivered to the victim through a fairly novel mechanism: the abuse of the appxbundle format used by the Windows 10 app installer.

In the email, the attackers impersonate a company manager and address the victim by name. Using an abrupt and threatening style, the attackers tell the victim that a complaint has been filed against them, and demand to know why this information wasn’t sent to the manager. 

“The messages themselves were very short, but they were crafted with an understanding of the human psychology behind the adrenaline-rush of fear and had been personalized with both the name of the recipient and the targeted organization in both the subject line and the body,” said Brandt.

The recipient is urged to click through to a website where the complaint has seemingly been posted for them to review. This link, if clicked, will eventually lead the user to the malware.

The malware used in this attack steals profiling data, such as the amount of RAM and CPU power that each infected device has. 

Paul Ducklin, principal research scientist at Sophos, said: “The criminals love to know those details, because it helps them decide which computers in their botnet are best suited to which sort of future malicious activity.”

The malware used in the attack includes a function to download and install yet more malware. 

“So, the danger of attacks like this is that although an infection may look and feel like the end of an attack chain, it is really just the beginning of the next one. And you can’t tell in advance what malware comes next,” said Ducklin.

What’s hot on Infosecurity Magazine?