By Aaron Riley
Secure email gateway (SEG) evasion is key for a phishing campaign’s payload to have maximum impact, and an increasing trend of nested files is being used to help with this goal. Threat actors have shown that a file with multiple layers of compression can avoid detection by a SEG and reach an end user. SEGs have certain technical limits as to how far they will go to analyze a file before it is labeled as benign, with decompression seemingly having its own limits. Cofense Intelligence analyzed a phishing campaign utilizing this multi-compression technique to deliver BazarBackdoor once the infection chain was initiated.
Figure 1: Environmental day-themed phishing campaign with an archive attachment
Seen in Figure 1 above, the phishing campaign theme revolved around environmental day and purported to have an attached event proposal. The attachments are both archives with different archiving types, one being .zip with the other .rar. Each of these attached archives has multiple different archives nested within. The nesting of the different archival types can be seen in Figures 2 and 3 below.
Figure 2: Attached ‘Info.rar’ contains more .rar archives holding the JavaScript file
Figure 3: Attached ‘Brief for colleaques.zip’ contains more archives holding the JavaScript file
The nesting of various archive types is purposeful by the threat actor as it has the chance of hitting the SEG’s decompression limit or fails because of an unknown archive type. As you can see in Figures 2 and 3, the archives deliver JavaScript files that are heavily obfuscated. De-obfuscation can be a limit within a SEG as well, meaning that if there are multiple layers of encryption surrounding a payload, a SEG might only go so many layers deep before labeling the binary as benign.
Once executed, the obfuscated JavaScript would download a payload with a .png extension via an HTTP GET connection. Using image extensions for payloads is a growing trend as the mis-attributed extension is thought to help evade network and endpoint security analysis. This technique is in use here as the .png payload is actually an executable that gets relabeled and moved within the filesystem. Afterward, the JavaScript then initiates the payload which is a sample of BazarBackdoor.
BazarBackdoor is a small Trojan that is used to gather a foothold on a system to then further deploy other malware. Thought to be developed by the same authors as TrickBot, BazarBackdoor shares a lot of the same modular payloads that were downloaded and executed during the time of the analysis.
Cofense Intelligence has previously notified customers about BazarBackdoor campaigns (an account is needed to view this content) including ones in which it delivered other malware, including Ryuk ransomware. Find more information about this campaign, here.
Phishing attacks continue to succeed as tactics evolve. The value of the Cofense comprehensive phishing detection and response that advances security awareness through training and other solutions is unsurpassed in the industry. To learn more about how Cofense can boost your cybersecurity position, contact us today.
