Emails with archive attachments could be carrying ransomware. Security analysts Cofense saw a spam email in which BazarBackdoor, a dangerous trojan, spreads in nested archives and a malicious image file.
In short:
- if you get an email (such as one that looks like it’s from your work) with an archive attachment,
- download the archive and open it,
- then open one of the files inside the archive,
- serious malware (spyware, ransomware, etc.) could infect your computer and even spread to other computers on the network.
Here is the malicious email that was carrying BazarBackdoor, illustration from the Cofense article:
What is BazarBackdoor?
The BazarBackdoor a trojan is a malware infection that’s not easy to notice, but quite powerful and dangerous. It allows malicious actors to control the infected computer: download programs, upload files, etc. It can be used to steal information and to infect the computer with other malware. It’s fileless, which means that it’s difficult for antivirus programs to detect. Quite a scary infection.
According to Cofense, BazarBackdoor often causes a Ryuk ransomware infection. Once BazarBackdoor is on a computer, it can be used to steal information, download ransomware, other trojans (Trickbot), and hijack email accounts. The trojan can use the hijacked email accounts on the infected device to spread malicious spam.
BazarBackdoor is especially dangerous to organizations, where ransomware and doxware can cause long-term damage.
Dangerous archives carry BazarBackdoor
Now, Cofense researchers saw a new campaign in which BazarBackdoor spreads (still with spam emails) in nested archives. The archives include malicious code, but they are very difficult for security programs to scan. As a result, the infected files don’t trigger a security alert.
In this BazarBackdoor campaign, emails arrive with attachments – the infected archive files. If you open one of these archives, you can see additional archives inside, as well as a Javascript file – a malicious script that downloads the infection.
In the past, BazarBackdoor was spread with the help of double extensions – dangerous files that are disguised as benign files.
In the case of this new BazarBackdoor attack, Cofense saw that the malicious file that is downloaded by the infected archives and that infects the computer is made to look like a picture: it has the PNG file extension, which is generally used for screenshots and pictures of text. Rather than an image, it is a malicious executable.
Phishing emails distribute BazarBackdoor
But why do people run these dangerous files? Why infect their own computers with malware?
It’s easy to have this impression that malicious programs infect computers by using only sophisticated technologies, such as exploiting unpatched vulnerabilities. And that does happen, such as the newly discovered Devils Togue spyware using flaws in web browsers and Windows to install itself.
But it’s important to remember that hackers use simpler tactics, too. Sometimes, they just guess people’s usernames and passwords by trying all the most common ones (this is why it’s important to use strong and unique credentials). Other times, malicious actors send out deceptive emails to trick people into running malicious files.
What is phishing?
Phishing has malicious actors impersonate trusted companies and people in order to trick their victims to give up information or follow dangerous instructions.
Scammers craft these fake emails to look like job communication, government news, package shipping updates, giveaways, bills and invoices, free trial expiration warnings, etc.
Some phishing emails are generic and vague, created to be relevant to everyone and sent out to thousands of email addresses at once. Others are targeted, where the attackers find out who the email belongs to and use the victim company’s name or other relevant information.
Phishing emails usually include hyperlinks or attachments that the recipients are encouraged to open. Malicious hyperlinks lead to websites, often ones with fake forms where the victim is told to input their information. Malicious files are used to deliver malware infections, often with the help of macros in Word and Excel files (Emotet is one example).
Not in the case of BazarBackdoor, though. It’s well known that macros are dangerous and should never be allowed on documents. The scheme uncovered by Cofense uses a somewhat novel method of delivering malware.