Bazaloader backdoor is back after a year, This time gets downloaded and executed via Fake movie streaming site. IOC’s included. Apply Fast.

The security researchers from Proofpoint has identified the new variant of Bazaloader backdoor downloaded and executed via BazaLoader campaign with the required human interaction.

Malware campaign which was observed during May 2021 has been disguised as Movie streaming service with the fake website featured with fake movies.

The researchers had stated ” The campaign demonstrates an inversely proportional relationship between successful infection rates and asking people to complete complicated steps – the more steps required by the user, the less likely they are to complete the attack chain. However, despite being counterintuitive, the techniques used by the threat actors in this, and similar, campaigns help bypass fully automated threat detection systems. Additionally, leveraging a streaming service cancellation lure preys on a growing trend of users cancelling online entertainment following major growth in the industry during 2020.”

Infection Chain

infection chain
Source : Proofpoint

The email received by the victim seems to be from multiple sender address with subjects like “Your trial period M0012064753012345 is going to be expired soon. Thankfully you made a decision to stick with us!” & “Demo stage is expired! Your account #M0272028060812345 will be automatically transferred to premium plan!”

Source: Proofpoint

“The emails contain phone numbers and references to the “BravoMovies” company. The messages purport to inform the target their credit card will be charged unless they cancel their subscription to the service. If the user calls the phone number provided in the email, a customer service representative will verbally guide the user to the company’s alleged website. The website is a convincing representation of a movie and television streaming service. ” stated by the Proofpoint researchers.

When the victim visits the fake site and navigate to unsubscribe options . On clicking the unsubscribe / Cancel option, the website download the malicious excel sheet with macro to the victim machine. Upon enabling the macro on sheet , the backdoor gets downloaded to the victim machine.

CyberWorkx readers can find the IOC’s for BazaLoader backdoor on below table.

IOCIOC TypeDescriptionFirst Observed
urbancinema[.]netDomainLanding Page2021-05-05
bravomovies[.]netDomainLanding Page2021-05-01
bvcinema[.]netDomainLanding Page2021-05-06
47.91.77[.]83IPBravoMovies Website Host2021-05-05
8.209.65[.]249IPBravoMovies Website Host2021-05-01
8.209.92[.]183IPBravoMovies Website Host2021-05-04
8.209.75[.]180IPBravoMovies Website Host2021-05-04
8.211.4[.]26IPBravoMovies Website Host2021-05-06
8.211.6[.]4IPBravoMovies Website Host2021-05-06
8.209.67[.]183IPBravoMovies Website Host2021-05-10
47.91.74[.]88IPBravoMovies Website Host2021-05-15
176.111.174[.]60IPBazaLoader Excel Payload Host2021-05-04
hxxps://18.237.242[.]195/g1_262/bt_64_g1_262URLBazaLoader C22021-05-04
hxxp://noise1[.]xyz/campo/n/oURLBazaLoader Excel Payload2021-05-04
9663dc275239aa93ceccedae7a0d54e10def18dd177d231264a323a4175a23d4SHA256BazaLoader Hash2020-04-25
Source: Proofpoint.

–-For more Cyber security news in crisp content . Please follow our site

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s