BazarLoader Malware Leverages Contact Forms

Industry: N/A | Level: Tactical | Source: AbnormalSecurity

Abnormal Security has observed, BazarLoader to be incorporating online contact forms in its communication and distribution tactic. This recent campaign occurred between December 2021 to January 2022, in which threat actors would pose as a prospective customer looking to obtain a product supply quote. As the communication would appear genuine, the targeted company would typically follow-up the inquiry by initiating an email to which the attacker would respond by providing a link to download a malicious file using file sharing services such as TransferNow and WeTransfer. If downloaded, files for a .iso and .log would be dropped on the victim's workstation. The ISO file is actually a .lnk shortcut file and the .log file is the malicious BazarLoader DLL file. The shortcut file if executed calls regsvr32.exe to run the DLL file in disguise which conducts process injection into svchost.exe. Further analysis of the campaign could not be completed as the command and control (C2) infrastructure was down. The threat actor's objective is likely to be using BazarLoader to deploy Conti ransomware or Cobalt Strike.

• Anvilogic Use Cases:
• Symbolic OR Hard File Link Created
• regsvr32 Execution