The threat actors behind the infamous Trickbot botnet have been at work again, firing highly customized phishing emails targeting Slack and BaseCamp users with loader malware, according to Sophos.
The British security vendor’s principal researcher, Andrew Brandt, explained that the campaign first appeared in January.
Malicious emails contained links to malware payloads hosted on the cloud storage services provided by popular collaboration tools like Slack.
“The emails also inserted the names of both the recipient and their employer into the messages, in an attempt to convince their enterprise recipients to download and execute the Trojan payloads temporarily hosted in those legitimate websites,” Brandt explained.
“When a target was convinced to open the documents tied to the spam email, their computer quickly became infected with BazarLoader, which itself acts primarily as a delivery mechanism for other malware. With a focus on targets in large enterprises, BazarLoader could potentially be used to mount a subsequent ransomware attack.”
Sophos also detected a second, more convoluted, campaign from the same actors, dubbed “BazarCall.” The spam message claims that the recipient’s free trial is ending and gives them a number to call in order to avoid paying for a renewal.
“In this later form of attack, only people who called the telephone number were given a URL, and instructed to visit the website where they could unsubscribe from these notifications,” said Brandt.
“The well-designed and professional looking websites bury an ‘unsubscribe’ button in a page of frequently asked questions. Clicking that button delivers a malicious Office document (either a Word doc or an Excel spreadsheet) that, when opened, infects the computer with the same BazarLoader malware.”
Sophos tied the campaigns to Trickbot via shared command and control (C2) infrastructure and the method of injecting malicious payloads into running processes, which it said it similar to Trickbot’s “injectDLL” module.
Although not as sophisticated as Trickbot, the BazarLoader malware appears to be in development and could be a new way for the gang to target high-value businesses going forward, Sophos said.