By Aaron Riley

Secure email gateway (SEG) evasion is key for a phishing campaign’s payload to have maximum impact, and an increasing trend of nested files is being used to help with this goal. Threat actors have shown that a file with multiple layers of compression can avoid detection by a SEG and reach an end user. SEGs have certain technical limits as to how far they will go to analyze a file before it is labeled as benign, with decompression seemingly having its own limits. Cofense Intelligence analyzed a phishing campaign utilizing this multi-compression technique to deliver BazarBackdoor once the infection chain was initiated.

Graphical user interface, text, application, email Description automatically generated

Figure 1: Environmental day-themed phishing campaign with an archive attachment

Seen in Figure 1 above, the phishing campaign theme revolved around environmental day and purported to have an attached event proposal. The attachments are both archives with different archiving types, one being .zip with the other .rar. Each of these attached archives has multiple different archives nested within. The nesting of the different archival types can be seen in Figures 2 and 3 below.

Graphical user interface, application, Teams Description automatically generated

Figure 2: Attached ‘Info.rar’ contains more .rar archives holding the JavaScript file

Graphical user interface, application Description automatically generated

Figure 3: Attached ‘Brief for colleaques.zip’ contains more archives holding the JavaScript file

The nesting of various archive types is purposeful by the threat actor as it has the chance of hitting the SEG’s decompression limit or fails because of an unknown archive type. As you can see in Figures 2 and 3, the archives deliver JavaScript files that are heavily obfuscated. De-obfuscation can be a limit within a SEG as well, meaning that if there are multiple layers of encryption surrounding a payload, a SEG might only go so many layers deep before labeling the binary as benign.

Once executed, the obfuscated JavaScript would download a payload with a .png extension via an HTTP GET connection. Using image extensions for payloads is a growing trend as the mis-attributed extension is thought to help evade network and endpoint security analysis. This technique is in use here as the .png payload is actually an executable that gets relabeled and moved within the filesystem. Afterward, the JavaScript then initiates the payload which is a sample of BazarBackdoor.

BazarBackdoor is a small Trojan that is used to gather a foothold on a system to then further deploy other malware. Thought to be developed by the same authors as TrickBot, BazarBackdoor shares a lot of the same modular payloads that were downloaded and executed during the time of the analysis.

Cofense Intelligence has previously notified customers about BazarBackdoor campaigns (an account is needed to view this content) including ones in which it delivered other malware, including Ryuk ransomware. Find more information about this campaign, here.

Phishing attacks continue to succeed as tactics evolve. The value of the Cofense comprehensive phishing detection and response that advances security awareness through training and other solutions is unsurpassed in the industry. To learn more about how Cofense can boost your cybersecurity position, contact us today.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.