Nested Archives Help to Evade SEGs and Deliver BazarBackdoor
By Aaron Riley
Secure email gateway (SEG) evasion is key for a phishing campaign’s payload to have maximum impact, and an increasing trend of nested files is being used to help with this goal. Threat actors have shown that a file with multiple layers of compression can avoid detection by a SEG and reach an end user. SEGs have certain technical limits as to how far they will go to analyze a file before it is labeled as benign, with decompression seemingly having its own limits. Cofense Intelligence analyzed a phishing campaign utilizing this multi-compression technique to deliver BazarBackdoor once the infection chain was initiated.
Figure 1: Environmental day-themed phishing campaign with an archive attachment
Seen in Figure 1 above, the phishing campaign theme revolved around environmental day and purported to have an attached event proposal. The attachments are both archives with different archiving types, one being .zip with the other .rar. Each of these attached archives has multiple different archives nested within. The nesting of the different archival types can be seen in Figures 2 and 3 below.
BazarBackdoor is a small Trojan that is used to gather a foothold on a system to then further deploy other malware. Thought to be developed by the same authors as TrickBot, BazarBackdoor shares a lot of the same modular payloads that were downloaded and executed during the time of the analysis.
Cofense Intelligence has previously notified customers about BazarBackdoor campaigns (an account is needed to view this content) including ones in which it delivered other malware, including Ryuk ransomware. Find more information about this campaign, here.
Phishing attacks continue to succeed as tactics evolve. The value of the Cofense comprehensive phishing detection and response that advances security awareness through training and other solutions is unsurpassed in the industry. To learn more about how Cofense can boost your cybersecurity position, contact us today.