BazarBackdoor sneaks in through nested RAR and ZIP archives

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,057
Security researchers caught a new phishing campaign that tried to deliver the BazarBackdoor malware by using the multi-compression technique and masking it as an image file.

The multi-compression or nested archive method is not new but gained in popularity recently as it can trick email security gateways into mislabeling malicious attachments as clean.

It consists of placing an archive within another. Researchers at Cofense say that this method can bypass some secure email gateways (SEGs), which can have a limit to how deep they check a compressed file.
Cofense explains that “nesting of various archive types is purposeful by the threat actor as it has the chance of hitting the SEG’s decompression limit or fails because of an unknown archive type.”

Obfuscated files can also pose problems to an SEG if there are several layers of encryption for the payload, increasing the chances of the malicious file passing undetected.

“Once executed, the obfuscated JavaScript would download a [BazarBackdoor] payload with a .png extension via an HTTP GET connection,” Cofense says, adding that the payload is an executable with the wrong extension.
 

wat0114

Level 12
Verified
Top Poster
Well-known
Apr 5, 2021
551
So how does this infect? Does the recipient first have to extract the attachment, followed by deliberately launching the .js file, which in turn downloads the BazarBackdoor payload with the wrong file extension (.png)? How is this payload executed?
 

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,459
So how does this infect? Does the recipient first have to extract the attachment, followed by deliberately launching the .js file, which in turn downloads the BazarBackdoor payload with the wrong file extension (.png)? How is this payload executed?
phishing campaign
Once executed, the obfuscated JavaScript would download a payload with a .png extension via an HTTP GET connection. Using image extensions for payloads is a growing trend as the mis-attributed extension is thought to help evade network and endpoint security analysis. This technique is in use here as the .png payload is actually an executable that gets relabeled and moved within the filesystem. Afterward, the JavaScript then initiates the payload which is a sample of BazarBackdoor.

BazarBackdoor is a small Trojan that is used to gather a foothold on a system to then further deploy other malware. Thought to be developed by the same authors as TrickBot, BazarBackdoor shares a lot of the same modular payloads that were downloaded and executed during the time of the analysis.
hämtning.png
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top