BazarBackdoor Malware

Security researchers at Cofense Intelligence analyzed a phishing campaign that utilized a multi-compression technique to deliver BazarBackdoor malware through nested RAR and ZIP archives.

Secure email gateway (SEG) evasion is key for a phishing campaign’s payload to have maximum impact, and an increasing trend of nested files is being used to help with this goal.

This phishing campaign shows that “A file with multiple layers of compression can avoid detection by an SEG and reach an end-user”, say the researchers from Confense.

BazarBackdoor Malware Delivered Through Nested RAR and ZIP Archives

BazarBackdoor is a small Trojan that is used to gather a foothold on a system and further deploy other malware. It is a stealthy malware downloader that is assessed and used by the same group as TrickBot.

A similar BazarBackdoor campaign that took place earlier this month, attracted the business audiences with the theme Environmental day with an archive attachment.

Environmental day-themed phishing campaign with an archive attachment

Here both attachments are archives with different archiving types, one being .zip with the other .rar. Each of these attached archives has multiple different archives nested within.

Attached ‘Info.rar’ contains more .rar archives holding the JavaScript file
Attached ‘Brief for’ contains more archives holding the JavaScript file

Cohense Intelligence mentions that “The nesting of various archive types is focused on by the threat actor as it has the probability of hitting the SEG’s decompression limit or fails because of an unknown archive type”.

Therefore, the archives contained JavaScript files that delivered Trickbot’s Bazar Backdoor malware, a stealthy backdoor used on corporate targets to provide remote access to the threat actor.

The technique used here is the .png payload is an executable that gets relabeled and moved within the filesystem, then the JavaScript initiates the payload which is a sample of BazarBackdoor.

Researchers state BazarBackdoor malware may download and execute the Cobalt Strike, a legitimate toolkit designed for post-exploitation exercises, to spread across the environment.

Phishing attacks continue to succeed as tactics evolve. After gaining access to the systems on the network, threat actors can initiate ransomware attacks, steal sensitive information, or sell the access to other cybercriminals.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.