- July 16, 2021
- Posted by: administrator
- Category: Security News
Security researchers caught a new phishing campaign that tried to deliver the BazarBackdoor malware by using the multi-compression technique and masking it as an image file.
The multi-compression or nested archive method is not new but gained in popularity recently as it can trick email security gateways into mislabeling malicious attachments as clean.
It consists of placing an archive within another. Researchers at Cofense say that this method can bypass some secure email gateways (SEGs), which can have a limit to how deep they check a compressed file.
The new BazarBackdoor campaign deployed earlier this month and lured enterprise recipients with an “Environmental Day” theme, officially celebrated on June 5.
Cofense explains that “nesting of various archive types is purposeful by the threat actor as it has the chance of hitting the SEG’s decompression limit or fails because of an unknown archive type.”
Obfuscated files can also pose problems to an SEG if there are several layers of encryption for the payload, increasing the chances of the malicious file passing undetected.
Once deployed on a victim computer, BazarBackdoor may download and execute the Cobalt Strike, a legitimate toolkit designed for post-exploitation exercises, to spread laterally in the environment.
After gaining access to high-value systems on the network, threat actors can launch ransomware attacks, steal sensitive information, or sell the access to other cybercriminals.
Earlier this year, security researchers discovered a BazarBackdoor variant written in the Nim programming language, showing the effort Trickbot developer goes to keep the malware undetected and relevant to cybercriminal activities.
NOTE:: This article is copyright by bleepingcomputer.com and we are using it for educational or Information purpose only