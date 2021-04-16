Infosecurity Group Websites
Latest
News

Trickbot Actors Target Slack and BaseCamp Users

The threat actors behind the infamous Trickbot botnet have been at work again, firing highly customized phishing emails targeting Slack and BaseCamp users with loader malware, according to Sophos.

The British security vendor’s principal researcher, Andrew Brandt, explained that the campaign first appeared in January.

Malicious emails contained links to malware payloads hosted on the cloud storage services provided by popular collaboration tools like Slack.

“The emails also inserted the names of both the recipient and their employer into the messages, in an attempt to convince their enterprise recipients to download and execute the Trojan payloads temporarily hosted in those legitimate websites,” Brandt explained.

“When a target was convinced to open the documents tied to the spam email, their computer quickly became infected with BazarLoader, which itself acts primarily as a delivery mechanism for other malware. With a focus on targets in large enterprises, BazarLoader could potentially be used to mount a subsequent ransomware attack.”

Sophos also detected a second, more convoluted, campaign from the same actors, dubbed “BazarCall.” The spam message claims that the recipient’s free trial is ending and gives them a number to call in order to avoid paying for a renewal.

“In this later form of attack, only people who called the telephone number were given a URL, and instructed to visit the website where they could unsubscribe from these notifications,” said Brandt.

“The well-designed and professional looking websites bury an ‘unsubscribe’ button in a page of frequently asked questions. Clicking that button delivers a malicious Office document (either a Word doc or an Excel spreadsheet) that, when opened, infects the computer with the same BazarLoader malware.”

Sophos tied the campaigns to Trickbot via shared command and control (C2) infrastructure and the method of injecting malicious payloads into running processes, which it said it similar to Trickbot’s “injectDLL” module.

Although not as sophisticated as Trickbot, the BazarLoader malware appears to be in development and could be a new way for the gang to target high-value businesses going forward, Sophos said.

Related to This Story

What’s Hot on Infosecurity Magazine?

1
Opinion

Understanding Education and Certifications to Help Find Your Path in Cybersecurity

2
News

Uni of Hertfordshire Suffers Cyber-Attack That Takes Down its Entire IT Network

3
News

Food Shortages at Dutch Supermarkets After Ransomware Outage

4
News

New Jersey School Districts Investigate Cyber-Attacks

5
News

Global Attacker Dwell Time Drops to Just 24 Days

6
News

Europe's Data Protection Guardians Green Light EU-UK Data Flows

1
News

US Issues Russian SVR Warning

2
News

Keyfactor to Merge with PrimeKey

3
Opinion

Encrypted Data in the Cloud

4
News

Mass Monitoring of Remote Workers Drives Shadow IT Risk

5
News

Google to Delay Publishing Bug Details for 30 Days

6
News

Trickbot Actors Target Slack and BaseCamp Users

1
Webinar

How to Secure the Most Vital Data Channel in Your Organization: File Transfers

2
Webinar

Extended Threat Detection and Response: Critical Steps and a Critical System

3
Webinar

Security Certification: Gain Competitive Advantage as the Low Risk Option

4
Webinar

Hybrid Working Has Accelerated Cloud Application Adoption: What About Security?

5
Webinar

No Perimeter, No Problem: Crypto-Strategy for a Zero-Trust Future

6
Webinar

Securing Remote Employee Devices with Unified Endpoint Management

1
Online Summit

[On-Demand] Infosecurity Magazine Spring Online Summit - EMEA 2021

2
Webinar

Security Mythbusting: Dismantling the Top Five API Myths

3
Online Summit

[On-Demand] Infosecurity Magazine Spring Online Summit - North America 2021

4
News Feature

Census 2021: How Safe Will Our Data Be Over the Next 100 Years?

5
Opinion

How Behavioral Biometrics is Combating Credential Stuffing Attacks

6
Webinar

Securing the #COVID19 Vaccine & Supply Chain