Cybercriminals have found a cunning new way to evade security protections

BazarBackdoor operators are circumventing email protections with contact forms

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Asemailgateways become better at spotting malicious messages, operators of the sinister BazarBackdoormalwareare resorting to changing up their tactics.

According to reports fromBleepingComputer,the TrickBot group, which created the malware, no longer tries to infect new endpoints directly via email, but rather through website contact forms.

Citing a report from cybersecurity experts Abnormal Security, the publication says the new campaign probably kicked off in December 2021, targeting corporateendpointswith Cobalt Strike orransomware.

We’re looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn’t take more than 60 seconds of your time. Thank you for taking part.

Click here to start the survey in a new window«

Deploying the BazarBackdoor DLL

The method is simple: instead of directly sending an email, the threat actor will use corporate contact forms to kick off communication, most often posing as a business requesting a product supply quote.

Once the target responds to the message, the attacker will send a malicious ISO file, claiming it’s relevant to the communication. The ISO file won’t be attached directly, though, but instead will first be uploaded to third-partyfile-sharing services, such as TransferNow or WeTransfer.

The ISO archive carries two files, the researchers suggest: one .lnk file and one .log file. By grouping these files together, and having the victim extract them manually after download, the threat actors hope to evade anyemail protection servicesthat the target might have set up.

Windows 10 apps abused by BazarLoader ‘call me back’ attack>TrickBot malware has been taken over by this notorious criminal gang>Conti ransomware source code leaked by Ukrainian researcher

Once the target runs the .lnk file, it will open a terminal window and load the .log file - the BazarBackdoor DLL.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

BazarBackdoor is built to provide its operators with remote access to an internal device, and as such, is usually used as a stepping stone towards the deployment of more destructive malware or ransomware.

Given that BazarBackdoor is the first stage in a multi-stage attack, the researchers expect the malware to deploy the stage-two payload. However, many of the C2 IPs are offline, preventing researchers from discovering the campaign’s endgame.

ViaBleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

A new form of macOS malware is being used by devious North Korean hackers

Scammers are using fake copyright infringement claims to hack businesses

Belkin’s Travel Bag for Vision Pro has pockets and is way cheaper than Apple’s own case