Hackers Spread BazarBackdoor Malware Via Website Contact Forms

Once again, the BazarBackdoor malware is running active campaigns in the wild, running campaigns behind maliciously crafted contact forms. These campaigns typically target corporate people as the threat actors use the contact forms with corporate feel to lure victims.

BazarBackdoor Malware Exploiting Contact Forms

According to a recent report from AbnormalSecurity, the criminal hackers are now distributing BazarBackdoor malware to corporate victims.

This isn’t the first time that BazarBackdoor is caught in the wild in phishing campaigns. It has also appeared online numerous times in the previous years as well. But the BazarBackdoor recent phishing campaign, which started in December 2021, is different in that the threat actors exploit corporate contact forms.

As described, the attack begins when the victim receives an email from a fake company asking for some information. For instance, in the email explained, the attackers posed as a construction company seeking quotes, for which, they used website contact forms.

Then, the victim’s response to the contact form would start communication, in fact, the actual attack. In the next step, the attackers send an ISO file to the victim, apparently, to share the relevant information according to the communication. But in essence, this malicious archive includes the malware.

The attackers explained this strategy as an evasive tactic. As stated,

At first glance, the overall volume of messages seemed low; however, as we continued researching these attacks, it became clear that the volume was artificially deflated because email was not the initial communication method used.

To further escape detection and ensure successful download at the victim’s end, the attackers use third-party file transfer systems, such as TransferNow and WeTransfer.

After a successful infection, the malware would execute the intended malicious activities. The researchers believe that the attackers intend to execute a multi-stage attack. This malware is known for its association with Conti ransomware and Cobalt Strike. However, the exact trail remains unclear.

Let us know your thoughts in the comments.

Related posts

Hard-Coded Credentials Vulnerability Found In Kubernetes Image Builder

Critical Vulnerability Patched In Jetpack WordPress Plugin

Astaroth Banking Malware Runs Actively Targets Users In Brazil