BazarLoader Malware: Abuses Slack and BaseCamp Clouds

The primary feature of the BazarLoader downloader, which is written in C++, is to download and execute additional modules. BazarLoader was first discovered in the wild last April, and researchers have discovered at least six variants since then “signaling active and ongoing development”.

According to researchers, the BazarLoader malware is leveraging worker trust in collaboration tools like Slack and BaseCamp, in email messages with links to malware payloads. The attackers have also added a voice-call feature to the attack chain in a secondary campaign targeted at consumers. 

“With a focus on targets in large enterprises, BazarLoader could potentially be used to mount a subsequent ransomware attack,” states Sophos advisory released on Thursday. Adversaries are targeting employees of large companies with emails that purport to provide valuable details related to contracts, customer care, invoices, or payroll, they added. 

Since the links in the emails are hosted on Slack or BaseCamp cloud storage, they can appear genuine if the target works for a company that uses one of those platforms. When a victim clicks on the link, BazarLoader downloads and executes on their device. 

Usually, the links point to a digitally signed executable with an Adobe PDF graphic as its symbol and the files have names like presentation-document.exe, preview-document-[number].exe, or annualreport.exe, according to the researchers. These executable files, when run, inject a DLL payload into a legitimate process, such as the Windows command shell, cmd.exe. 

“The malware, only running in memory, cannot be detected by an endpoint protection tool’s scans of the filesystem, as it never gets written to the filesystem.” Sophos discovered that the spam messages in the second campaign are devoid of anything suspicious: there are no personal details of any sort in the email body, no connection, and no file attachment.

“All the message claims is that a free trial for an online service the recipient claims to be using is about to expire in the next day or two, and it includes a phone number the recipient must call to opt-out of a costly, paid renewal,” researchers explained. 

If a potential victim picks up the call, a friendly person on the other end of the line sends them a website address where they can unsubscribe from the service. These websites bury an unsubscribe button in a page of frequently asked questions and clicking that button delivers a malicious Office document (either a Word doc or an Excel spreadsheet) that, when opened, infects the computer with the same BazarLoader malware. 

The messages claimed to come from a company named Medical Reminder Service and included a phone number as well as a street address for a real office building in Los Angeles. However, starting in mid-April, the messages began to use a ruse involving a fraudulent paying online lending library named BookPoint. 

Researchers have been suspecting that BazarLoader could be related or authored by the TrickBot operators. TrickBot is another first-stage loader malware often used in ransomware campaigns. 

BazarLoader seems to be in its initial developmental stage and isn’t as advanced as more mature families like TrickBot, researchers added. “While early versions of the malware were not obfuscated,” they explained, “more recent samples appear to encrypt strings that could expose the malware’s intended use.”