Security Awareness – BazarBackdoor Spreading via Corporate Contact Forms

The BazarBackdoor malware has been observed spreading via corporate website contact forms rather than its typical phishing email attack chain, allowing it to evade security software. BazarBackdoor is a backdoor malware, which WaterISAC detailed last month, created by the TrickBot gang to provide threat actors with remote access to a compromised device which can then be used to move laterally through a corporate network, install more malware, steal data, and deploy ransomware. A new distribution campaign, identified in a report by Abnormal Security, exploits corporate contact forms to contact victim organizations. For instance, in one of the observed cases, the threat actors pretended to be an employee from a construction company submitting a request for a product quote. When the employee responds, the threat actors send back a malicious ISO file via a file-sharing service to circumvent security software. After the victim downloads the ISO file, BazarBackdoor infects the system. Researchers believe the threat actor’s goal is likely to deploy Cobalt Strike or ransomware. Read more at BleepingComputer.