Malware developers are becoming more innovative and have designed new file infection spreading methods

Jul 19, 2021 16:53 GMT  ·  By

A revamped BazarBackdoor was discovered that disguises the virus as an image file. The approach allows Secure Email Gateways (SEGs) to be fooled into thinking that malicious attachments are clean files, according to Cyware

Cofense cybersecurity experts found that BazarBackdoor multi-compression approach is able to bypass some SEG services because of the limited ability of those services to fully examine or scan a compressed file. According to experts, the approach is becoming increasingly popular among hackers because it increases the likelihood that dangerous files will evade detection.

BazarBackdoor began its new campaign last month, with an Environmental Day theme on June the 5th. The malicious files are attached to the email by the threat actor as ZIP and RAR. The JavaScript file containing the BazarBackdoor virus is used to distribute the malware to the targeted computers. It goes without saying that the JavaScript file is obfuscated and, once activated, it downloads a malicious payload that has been bundled with an image extension.

What is the method through which the malware is camouflaged? 

Archives can be configured to be nested for various reasons, such as limiting the amount of file decompression that the capacity of SEG can handle or causing an unknown archive type to fail. To perform a download, the obfuscated JavaScript on the page first obtains the source of the page as a PNG image called BazarBackdoor payload over an HTTP GET connection. The program contains a malicious payload that is an executable with the wrong extension.

Once installed on a victim system, the virus is able to download and execute the Cobalt Strike, a legitimate post-exploitation toolkit that was designed to further penetrate the network. Interestingly enough, the developers managed to add a new powerful feature to BazarBackdoor in just 1 year.

The most fascinating thing about it, however, is that the threat actors behind it are becoming more inventive when it comes to spreading malware. Due to the nature of the threat, it is classified as extremely dangerous and requires continuous monitoring by security managers.