Although phishing emails are still the traditional attack vector, attackers have not given up looking for new attack methods. Recently, researchers discovered that BazarLoader launched attacks through online forms.
BazarLoader is credited with being extremely closely associated with the cybercrime organization Wizard Spider, which is widely known for developing the Trickbot Bank Trojan and the Conti Ransomware.
In 2021, BazarLoader was spreading under the guise of pirated content. Attackers threatened legal action against persistent copyright infringements, and the malware was described as evidence of misconduct.
Online forms
Between December 2021 and January 2022, the researchers found that the attackers did not send phishing emails directly to launch the attack, but through an online form.
The attackers masquerade as employees of a Canadian luxury construction company seeking a quote for the product. Attackers choose this method for two purposes:
Disguise traffic as legitimate traffic
Sent by legitimate senders, malicious message detection was evaded
The attacker only needs to wait for the victim of the target company to take the initiative to deliver it.
Send malicious samples
After confirming the identity via email, the attacker will lure the victim into downloading the malicious file in the name of project negotiations.
Attackers typically use the file-sharing services TransferNow and WeTransfer for sample delivery.
Link to TransferNow to download malware.
BazarLoader malware
The attackers shared .iso files that contained two files disguised as different file types. It appears that one of them is a shortcut to the folder you are in, and the other is a .log file with a legitimate Windows file name. In fact, one is an LNK file for Windows and the other is a DumpStack .log file.
Malware sent through TransferNow
Shortcuts allow the creator to specify command-line arguments to perform actions on the victim’s device, and attackers often exploit this type of file for attacks.
ISO file
LNK files use regsvr-32.exe open terminals to run DumStack .log, which is a DLL file of BazarLoader.
LNK file
The DLL evades detection by process injecting svchost .exe and uses port 443 to communicate with the C&C server 13.107.21.200.
process
Establish a connection
Establish a connection
Some of the C&C servers were down at the time of the investigation and could not download subsequent payloads. Depending on the data association, relevant malware links can be discovered.
Correlation diagram
Malware associated with IP addresses is as follows:
Malicious samples
summary
Attackers impersonate well-known businesses to create similar domain names to gain the victim’s trust, such as changing the .com top-level domain to .us.
BazarLoader is often part of a multi-stage malware that can be followed by the deployment of Conti Ransomware or a Cobalt Strike malicious sample.
IOC
104.215.148.63
45.15.131.126
148.163.42.203
45.41.204.150
193.169.86.84
76.6.231.20
131.253.33.200
72.21.91.29
97806F6DA402F135FA0556ADF5809D6D3BC629E967A0771B9FEB5BA55267D560
8395B26BE4A7D57F9B60839257C3E7B9E6756DBBEB818DE6575987D6E041C8FD
CE6E63191588E449DE4AB45FF4D32E1BBD1C67681C74C32DE3A4DB63331278CC
