By Dylan Duncan

Threat actors using BazarBackdoor have brought an unusual set of lures, techniques and infrastructure to enterprise users, exemplified in two recent campaigns. In these campaigns, threat actors exploit the victims’ own initiative in order to evade security controls and achieve a compromise. These tactics may also be an attempt to counter phishing awareness training.

In this case, we analyzed two campaigns that added a twist to the first stage of the infection chain: one with order- confirmation-themed emails that require a specific invoice number to be entered to reach the payload, and another with subscription-themed emails that mandate a phone call to receive the payload. Emails for the first campaign were disseminated in February and emails from the second in March, which may indicate that threat actors evolved their tactics from one campaign to the other. Alternatively, these actors may be experimenting with several pre-determined sets of tactics to determine which is the most successful.

The lack of embedded clickable links or malicious attachments makes it difficult for secure email gateways (SEGs) and sandbox rules to detect and block the emails. More and more, corporate network users are being conditioned to recognize malicious links and attachments. The absence of apparently malicious links and attachments may lull potential recipients into complacency: “If threat actors wanted to compromise me, wouldn’t they provide me with a means to engage with their malware, or send them my personal information?” Failure to recognize the roundabout engagement tactics at play here could result in a compromise going unnoticed. As seen in Ryuk ransomware campaigns during October 2020, BazarBackdoor remained undetected on infected machines, which allowed threat actors to deliver payloads remotely at a later date.

Sample Campaign 1: Order Confirmation

Figure 1: Order-themed email that delivers BazarBackdoor through shop domains.

Process of Compromise

The first of two BazarBackdoor campaign examples (observed and reported by Cofense Intelligence in early February), used order-confirmation-themed lures. The lures, however, contained no malicious payload. Instead, the threat actors intended for users to be compromised through the following process:

  1. The order-confirmation-themed campaign disseminates phishing emails similar to Figure 1. The order confirmations are from fake companies—mostly pharmaceutical, office supply, flower delivery and lingerie companies. This sample from the campaign uses the fabricated company “Fierce Pharma.”
  2. The email contains an order number, a phone number that is unavailable, and an attached fake invoice in PDF format (as shown in Figure 2). Neither the email nor the invoice contains malware or a link directly to malware, which complicates detection. Threat actors count on additional effort from potential victims who must, unbidden, open a browser and manually enter a domain displayed in the invoice.
  3. Threat actors intend that victims perceive the domain as a legitimate website for Fierce Pharma. Users must navigate around the site to find a “Cancel Order” page, where they are prompted to enter the order number from the campaign.
  4. After entering the number (which likely serves as a victim ID used by the threat actors), intended victims are redirected to a different site with a similar domain scheme. The new site displays instructions on how to enable macro content and delivers a Microsoft Excel spreadsheet that contains malicious Office macros. These then download and run BazarBackdoor.

Figure 2: Invoice from Fierce Pharma attached to order confirmation phishing email.

Campaign Infrastructure

In this case, BazarBackdoor threat actors registered hundreds or more domains such as fiercepharma[.]net (shown in the invoice in Figure 2). Some interesting aspects of these domain registrations include the following:

  • Most domains used in the campaign were registered anonymously, using privacy protection services.
  • Anonymous registration, however, is not allowed for .us domains. Instead, threat actors used bogus contact details, but they used the same email address to register the .us domains. This allowed researchers to connect at least 245 .us domains registered to this campaign.
  • Many of the domains are registered in groups of two or three, using the same domain name with three separate TLDs (for example, .net, .us. and .shop). Thus, for every .us domain, there are likely two other connected domains.

We suspect that the threat actors’ reason for duplicating and/or triplicating infrastructure is to evade early detection, as well as to conserve resources and effort. Minimal effort is spent on payload delivery sites with a shorter shelf life, while the more developed landing pages have a lower likelihood of removal because they appear benign. Other factors of note include the following:

  • One of each domain pair (or triad) mentioned above is used as the first stage of the campaign. It is made to appear as legitimate as possible, serving as the landing page for target users. It does not host any malware; rather it serves only to redirect users to the second-stage site when they enter an order number and complete the compromise. Cloaking the more directly malicious domains from email security controls by an extra step may allow the threat actors to avoid detection.
  • The use of separate domains is also likely intended to conserve resources. The first-stage domain, most commonly hosted on .net or .com, is more developed and does not directly serve a malicious payload, meaning it should have a longer shelf life for threat actors. The second-stage domains (often .us or .shop), are likely to be taken down faster because they deliver the malicious payload. The second-stage site is just a single-page PHP form where users again enter their order number and receive the malicious Office document.

The detail and effort put into this campaign goes beyond those of most phishing threat activity, and these unusual tactics were swiftly changed, as the subscription-themed campaign was delivered just over a month later.

Sample Campaign 2: Subscription

Figure 3: Free trial-themed email that delivers BazarBackdoor via phone number.

Process of Compromise

The second BazarBackdoor campaign was originally observed and reported by Cofense Intelligence in March; it used subscription-themed lures. Like the first campaign, the email contains no malicious content. Instead, the threat actors intended for users to be compromised through the following process:

  1. The second campaign was changed to be subscription-themed; the disseminated phishing emails were similar to Figure 3.
  2. Each email contained some content regarding a free trial ending, a subscription cancellation, or some subscription fee to be charged. Like the first campaign, no traditional IOCs are associated, since no embedded links or attachments were included in the email. Instead, a phone number was included. Threat actors intend for users to call the number to cancel or make changes to the subscription.
  3. Once calling the phone number, users are met with a fake representative of the fabricated company or subscription service. The first step of the phone conversation is to provide the user ID found in the email subject and body. This allows the threat actor to acquire the email address and information of the recipient.
  4. At this point, threat actors will walk users through steps almost identical to the first campaign via the phone conversation. By providing what is usually a .us domain, users will be directed to a website and told to find the unsubscribe button.
  5. Once the unsubscribe button is used, the website requests the user ID from the email address. This could be a way for the threat actor to track the infected individual. Once the ID has been entered, users are prompted to download a Microsoft Excel spreadsheet that contains malicious macros.
  6. Threat actors then proceed to talk the user through enabling the macros which download and run BazarBackdoor. A video demonstrating a full walkthrough of a phone conversation with the threat actors can be found here.

Conclusions

The addition of what seems to be a fully functional BazarBackdoor call center shows just how far threat actors are willing to go for a successful infection. The threat actors are also constantly changing the campaign’s infrastructure by adding new phone numbers, email addresses and domains. This makes it very difficult to create effective rules and security controls for blocking the campaign. Other campaigns using methods similar to this have recently arisen, using call centers with malicious intent. While not necessarily a new tactic, other threat actors have been reported using AnyDesk (a remote desktop application) to infect users via call center. This tactic has been previously used in consumer phishing but is not usual in campaigns targeting businesses.

The analysis of these campaigns led to insight on threat actors’ ability to adapt and use atypical methods to reach end users. Like previous BazarBackdoor campaigns, the final payload is delivered later, and is usually dependent on the infected machine and network. This makes it difficult to see the campaign in its entirety. Because both campaigns assign a unique order ID to each email, it is possible that the ID will be used later to determine the final payload, tailored to the organization/location/role of the victim.

Both campaigns were reported directly to the Cofense Phishing Defense Center (PDC) by enterprise users with the PhishMe Reporter button. With further analysis by Cofense Intelligence, customers have received relevant IOCs and Active Threat Reports (ATRs) for these campaigns. Customers can access the most up-to-date list of all relevant Cofense Intelligence IOCs and ATRs tied to BazarBackdoor via our Threat Intelligence API and the ThreatHQ intelligence portal. Lear more here.

ATR IDs for the BazarBackdoor campaigns.

Active Threat Report Date Published
142393 2021-02-12
164206 2022-03- 25
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results. 
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.