The primary feature of the BazarLoader downloader, which is written in C++, is to download and execute additional modules. BazarLoader was first discovered in the wild last April, and researchers have discovered at least six variants since then “signaling active and ongoing development”.
According to researchers, the BazarLoader malware is leveraging worker trust in collaboration tools like Slack and BaseCamp, in email messages with links to malware payloads. The attackers have also added a voice-call feature to the attack chain in a secondary campaign targeted at consumers.
“With a focus on targets in large enterprises, BazarLoader could potentially be used to mount a subsequent ransomware attack,” states Sophos advisory released on Thursday. Adversaries are targeting employees of large companies with emails that purport to provide valuable details related to contracts, customer care, invoices, or payroll, they added.
Since the links in the emails are hosted on Slack or BaseCamp cloud storage, they can appear genuine if the target works for a company that uses one of those platforms. When a victim clicks on the link, BazarLoader downloads and executes on their device.
Usually, the links point to a digitally signed executable with an Adobe PDF graphic as its symbol and the files have names like presentation-document.exe, preview-document-[number].exe, or annualreport.exe, according to the researchers. These executable files, when run, inject a DLL payload into a legitimate process, such as the Windows command shell, cmd.exe.
“The malware, only running in memory, cannot be detected by an endpoint protection tool’s scans of the filesystem, as it never gets written to the filesystem.” Sophos discovered that the spam messages in t ..