A new phishing effort has been discovered that infects targeted devices with malware utilising specially prepared CSV text files. The BazarBackdoor or BazarLoader trojan is the malware that has been installed.
CSV files are used
- Researchers have discovered 102 actual non-sandbox firms, as well as government victims, in the last two days.
- A security researcher discovered a phishing campaign in which phishing emails seem to be Payment Remittance Advice, with links to external sites that download a CSV file, document-21966[.]csv.
- The document-21966[.]csv file is basically a text file with data columns separated by commas and an odd WMIC call that runs a PowerShell operation in one of the data columns.
- The Dynamic Data Exchange function (DDE) in this campaign employed WMIC to establish a new PowerShell process that accesses a remote URL with another PowerShell command that is also performed.
- The picture[.]jpg file is downloaded and saved as 87764675478[.]dll by the remote PowerShell script command. BazarLoader is installed and BazarBackdoor and other payloads are deployed using the DLL file.
Additional information
When the CSV file is accessed in Excel, the programme detects the DDE call and displays a dialogue box to users who have been recognised as having a security issue.
Even if the feature is enabled, Excel will require the user to confirm that WMIC has permission to access the remote data.
If the user agrees to both questions, Excel runs the PowerShell scripts that download the DLL and install BazarBackdoor.
Conclusion
BazarBackdoor is a significant hazard that allows threat actors to get access to business networks’ systems. As a result, businesses should be aware of this issue and the accompanying attack methods. Furthermore, experts advise deploying dependable anti-malware solutions and training personnel on how to spot phishing emails.
