Bazaloader backdoor is back after a year, This time gets downloaded and executed via Fake movie streaming site. IOC’s included. Apply Fast.
Tweet
The security researchers from Proofpoint has identified the new variant of Bazaloader backdoor downloaded and executed via BazaLoader campaign with the required human interaction.
Malware campaign which was observed during May 2021 has been disguised as Movie streaming service with the fake website featured with fake movies.
The researchers had stated ” The campaign demonstrates an inversely proportional relationship between successful infection rates and asking people to complete complicated steps – the more steps required by the user, the less likely they are to complete the attack chain. However, despite being counterintuitive, the techniques used by the threat actors in this, and similar, campaigns help bypass fully automated threat detection systems. Additionally, leveraging a streaming service cancellation lure preys on a growing trend of users cancelling online entertainment following major growth in the industry during 2020.”
Infection Chain
The email received by the victim seems to be from multiple sender address with subjects like “Your trial period M0012064753012345 is going to be expired soon. Thankfully you made a decision to stick with us!” & “Demo stage is expired! Your account #M0272028060812345 will be automatically transferred to premium plan!”
“The emails contain phone numbers and references to the “BravoMovies” company. The messages purport to inform the target their credit card will be charged unless they cancel their subscription to the service. If the user calls the phone number provided in the email, a customer service representative will verbally guide the user to the company’s alleged website. The website is a convincing representation of a movie and television streaming service. ” stated by the Proofpoint researchers.
When the victim visits the fake site and navigate to unsubscribe options . On clicking the unsubscribe / Cancel option, the website download the malicious excel sheet with macro to the victim machine. Upon enabling the macro on sheet , the backdoor gets downloaded to the victim machine.
CyberWorkx readers can find the IOC’s for BazaLoader backdoor on below table.
| IOC | IOC Type | Description | First Observed |
| urbancinema[.]net | Domain | Landing Page | 2021-05-05 |
| bravomovies[.]net | Domain | Landing Page | 2021-05-01 |
| bvcinema[.]net | Domain | Landing Page | 2021-05-06 |
| 47.91.77[.]83 | IP | BravoMovies Website Host | 2021-05-05 |
| 8.209.65[.]249 | IP | BravoMovies Website Host | 2021-05-01 |
| 8.209.92[.]183 | IP | BravoMovies Website Host | 2021-05-04 |
| 8.209.75[.]180 | IP | BravoMovies Website Host | 2021-05-04 |
| 8.211.4[.]26 | IP | BravoMovies Website Host | 2021-05-06 |
| 8.211.6[.]4 | IP | BravoMovies Website Host | 2021-05-06 |
| 8.209.67[.]183 | IP | BravoMovies Website Host | 2021-05-10 |
| 47.91.74[.]88 | IP | BravoMovies Website Host | 2021-05-15 |
| 176.111.174[.]60 | IP | BazaLoader Excel Payload Host | 2021-05-04 |
| hxxps://18.237.242[.]195/g1_262/bt_64_g1_262 | URL | BazaLoader C2 | 2021-05-04 |
| hxxp://noise1[.]xyz/campo/n/o | URL | BazaLoader Excel Payload | 2021-05-04 |
| 9663dc275239aa93ceccedae7a0d54e10def18dd177d231264a323a4175a23d4 | SHA256 | BazaLoader Hash | 2020-04-25 |
–-For more Cyber security news in crisp content . Please follow our site