2 min

Tags in this article

, ,

The new delivery vector makes the malware even more difficult to detect.

The stealthy BazarBackdoor malware is now being spread via website contact forms rather than typical phishing emails, according to a report in bleepingcomputer.com. The new delivery method helps the malware to evade detection by security software, writes Bill Toulas.

BazarBackdoor is a stealthy backdoor malware from the TrickBot group and is now under development by the Conti ransomware operation. This malware provides threat actors remote access to an internal device. The malware then uses this device as a launchpad for further lateral movement within a network.

The BazarBackdoor malware usually spreads through phishing emails that include malicious documents that download and install the malware. However, as secure email gateways have become better at detecting these malware droppers, distributors are moving to new ways of spreading the malware.

Contact forms replacing emails

In a new report by Abnormal Security, analysts explain that a new distribution campaign started in December 2021 targets corporate victims with BazarBackdoor, with the likely goal of deploying Cobalt Strike or ransomware payloads.

Instead of sending phishing emails to the targets, the threat actors first use corporate contact forms to initiate communication.

For example, in one of the cases seen by Abnormal’s analysts, the threat actors posed as employees at a Canadian construction company who submitted a request for a product supply quote.

After the employee responds to the phishing email, the attackers send back a malicious ISO file supposedly relevant to the negotiation. Since sending these files directly is impossible or would trigger security alerts, the threat actors use file-sharing services like TransferNow and WeTransfer.

Bleeping Computer reported a similar case of contact form abuse in August, where fake DMCA infringement notices sent via contact forms were installing BazarBackdoor.

In April 2021, Bleeping Computer also reported on a phishing campaign using contact forms to spread the IcedID banking trojan and Cobalt Strike beacons.