BazarBackdoor Spreads via Malicious CSV Files



A new phishing effort has been discovered that infects targeted devices with malware utilising specially prepared CSV text files. The BazarBackdoor or BazarLoader trojan is the malware that has been installed.

CSV files are used

  • Researchers have discovered 102 actual non-sandbox firms, as well as government victims, in the last two days.
  • A security researcher discovered a phishing campaign in which phishing emails seem to be Payment Remittance Advice, with links to external sites that download a CSV file, document-21966[.]csv.
  • The document-21966[.]csv file is basically a text file with data columns separated by commas and an odd WMIC call that runs a PowerShell operation in one of the data columns.
  • The Dynamic Data Exchange function (DDE) in this campaign employed WMIC to establish a new PowerShell process that accesses a remote URL with another PowerShell command that is also performed.
  • The picture[.]jpg file is downloaded and saved as 87764675478[.]dll by the remote PowerShell script command. BazarLoader is installed and BazarBackdoor and other payloads are deployed using the DLL file.

Additional information

When the CSV file is accessed in Excel, the programme detects the DDE call and displays a dialogue box to users who have been recognised as having a security issue.

Even if the feature is enabled, Excel will require the user to confirm that WMIC has permission to access the remote data.

If the user agrees to both questions, Excel runs the PowerShell scripts that download the DLL and install BazarBackdoor.


BazarBackdoor is a significant hazard that allows threat actors to get access to business networks’ systems. As a result, businesses should be aware of this issue and the accompanying attack methods. Furthermore, experts advise deploying dependable anti-malware solutions and training personnel on how to spot phishing emails.



IEMLabs is an ISO 27001:2013 and ISO 9001:2015 certified company, we are also a proud member of EC Council, NASSCOM, Data Security Council of India (DSCI), Indian Chamber of Commerce (ICC), U.S. Chamber of Commerce, and Confederation of Indian Industry (CII). The company was established in 2016 with a vision in mind to provide Cyber Security to the digital world and make them Hack Proof. The question is why are we suddenly talking about Cyber Security and all this stuff? With the development of technology, more and more companies are shifting their business to Digital World which is resulting in the increase in Cyber Crimes.

Leave a comment

Your email address will not be published.

This site is under maintenance,
some features might not work!!!