chat
expand_more

BazarLoader Actors Initiate Contact via Website Contact Forms

Actors are now exploiting the customer contact form on websites to bypass email security and encourage BazarLoader downloads.
March 9, 2022

While most cyberattacks are launched via email, attackers are always looking for new ways to make contact with potential victims. Recently, the threat intelligence team at Abnormal Security observed some attacks targeting our customers that started through an online contact form.

Based on our analysis, we determined that these attacks were attempting to deploy BazarLoader malware. BazarLoader is most closely associated with the cybercrime group known as Wizard Spider, credited with developing the Trickbot banking trojan and Conti ransomware.

Previous BazarLoader campaigns using customer inquiry forms were first identified in 2021, but those attempts used attention-seeking themes to garner artificial urgency. In many cases, the attackers threatened legal action for ongoing copyright violations, with malware disguised as evidence of the misconduct. In these recent campaigns, the actors chose a much lower-impact theme, pretending to be a potential customer in the ordinary course of business.

Attackers Use Online Contact Form to Initiate Communication

Between December 2021 and January 2022, we identified a series of phishing campaigns targeting several of our customers. At first glance, the overall volume of messages seemed low; however, as we continued researching these attacks, it became clear that the volume was artificially deflated because email was not the initial communication method used.

Rather than directly sending a phishing email, the attacker in these cases initiated a conversation through an organization’s website contact form. In these initial contact form submissions, the attacker posed as an employee at a Canadian luxury construction company looking for a quote for a product provided by the target.

There are two primary purposes for choosing this method for initial communication.

  1. It disguises the communication as a request that could be reasonably expected to be received through an online request form.

  2. It circumvents potential email defenses since the request would be delivered through a legitimate sender and does not contain any malicious content.

Once the contact form request has been submitted by the attacker, they simply wait until someone at the target company reaches out to them to follow up. From the perspective of an email system, the target company is initiating conversation with the attacker rather than the other way around.

After Successful Contact, Attackers Send a Malicious File

After fully establishing their cover identity via email, the threat actors continued project negotiations in an effort to convince their victim to download a malicious file. Often this involved some level of social engineering to find a download method not blocked by the victim’s security protocols, without arousing their suspicion.

bazarloader initial attack email

Attacker establishing their cover identity via email.

We’ve observed the attacker in these campaigns use two different file sharing services—TransferNow and WeTransfer—to try to deliver the malicious file to victims. If delivery fails using one of these methods, the attacker simply tries again using the other.

bazarloader email transfernow malware link

Link to TransferNow to download the malware.

BazarLoader Malware Analysis

The file shared by the threat actor is an .iso file with two components, both masquerading as a different file type. At first glance, the .iso file appears to contain a shortcut to the folder with the project and a .log file bearing the name of a legitimate Windows file as an anti-detection technique. In actuality, the two are a windows .lnk file and a .log file that is not DumpStack.log.

bazarloader project details malware link

Malware sent via TransferNow.

Because shortcut .lnk files allow their creator to specify command-line arguments to perform an action on the victim’s device, cybercriminals can use them for nefarious means.

bazarloader iso file

Components of the ISO file.

In this case, the .lnk file properties contain a command instruction to open a terminal window using regsvr32.exe to run the so-named file DumStack.log. In reality, it's a BazarLoader Dynamic-link library (DLL) file.

bazarloader malware attachment properties

With a process injection technique, the DLL uses svchost.exe service to evade detection and establish a connection with their command and control (C2) server at the IP address 13.107.21[.]200 using port 443.

bazarloader DLL uses svchost.exe

svchost.exe process.

bazarloader connection with c2

Connection established with C2.

bazarloader connection with port 443

Connection established using port 443.

At the time of this investigation, some of the C2 IP addresses were down, and the others were not able to download the second stage of the attack. This leaves some level of uncertainty as to the intended second stage malware payload. However, past relationships between the IP address 13[.]107[.]21[.]200 illustrated in red in the graph below reveal previous links to malware.

Malware previously related to the IP address 13[.]107[.]21[.]200 has included the following:

bazarloaders malware hash and file type

Based on this, it’s clear that the threat actors were attempting to execute a multi-stage attack with BazarLoader as a first step.

The BazarLoader Bottom Line

The actors in this campaign attempted to improve their credibility by using customer contact forms to establish their identity as a trusted sender. Then, they sent emails from spoofed domains to impersonate a known business. These spoofed domains were difficult to detect given that they are identical to the legitimate website other than the top-level domain, which was changed from .com to .us to trick users.

After infecting their victim with the dropper malware BazarLoader, the trail unfortunately goes cold. However, we can make some educated guesses as to what they intended to happen next. BazarLoader is usually the first stage in a more sophisticated, multi-stage malware attack, often used to deploy Conti ransomware or Cobalt Strike, for example.

These tools, used separately or in conjunction, help threat actors penetrate networks. At that point, the possibilities for chaos are myriad. Consequences range from unauthorized payments and fund dispersals to total system shutdown and even persistent long-term network intrusion.

Indicators of Compromise (IOCs)

104[.]215[.]148[.]63

45[.]15[.]131[.]126

148[.]163[.]42[.]203

45[.]41[.]204[.]150

193[.]169[.]86[.]84

76[.]6[.]231[.]20

131[.]253[.]33[.]200

72[.]21[.]91[.]29

docs_1244.iso
97806F6DA402F135FA0556ADF5809D6D3BC629E967A0771B9FEB5BA55267D560

DumpStack.log
8395B26BE4A7D57F9B60839257C3E7B9E6756DBBEB818DE6575987D6E041C8FD

Attachments.lnk
CE6E63191588E449DE4AB45FF4D32E1BBD1C67681C74C32DE3A4DB63331278CC

BazarLoader Actors Initiate Contact via Website Contact Forms

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Get AI Protection for Your Human Interactions

Protect your organization from socially-engineered email attacks that target human behavior.
Request a Demo
Request a Demo

Related Posts

B Proofpoint Customer Story Blog 8
A Fortune 500 transportation and logistics leader blocked more than 6,700 attacks missed by Proofpoint and reclaimed 350 SOC hours per month by adding Abnormal to its security stack.
Read More
B Gartner MQ 2024 Announcement Blog
Abnormal Security was named a Leader in the 2024 Gartner Magic Quadrant for Email Security Platforms and positioned furthest for Completeness of Vision.
Read More
B Gift Card Scams Tricker to Spot Blog
Learn why gift card scams are becoming more difficult to identify, how cybercriminals evolve their tactics, and strategies to protect your organization.
Read More
B Offensive AI 12 16 24
Learn how AI is used in cybersecurity, what defensive AI vs. offensive AI means, and how to use defensive AI to combat offensive AI.
Read More
B Proofpoint Customer Story Blog 7
See how Abnormal's AI helped a Fortune 500 insurance provider detect 27,847 threats missed by Proofpoint and save 6,600+ hours in employee productivity.
Read More
B Cyberattack Forecast Emerging Threats Blog
Uncover the latest email threats and strategies to strengthen your cybersecurity and prepare for 2025.
Read More