fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Malicious CSV Text Files Used to Install BazarBackdoor Malware

Malicious CSV Text Files Used to Install BazarBackdoor Malware

A new phishing campaign is using specially crafted CSV text files to infect users’ devices with the BazarBackdoor malware.

A comma-separated values (CSV) file is a text file containing lines of text with columns of data separated by commas. In many cases, the first line of text is the header, or description, for each column.

For example, a very basic CSV text file containing the capitals of some US states is illustrated below. Notice how commas separate each column of data (states and capitals).

Also Read: Personal Data Protection Act Australia

State,Capital
Alabama,Montgomery
Alaska,Juneau
Arizona,Phoenix
Arkansas,Little Rock
California,Sacramento
Colorado,Denver
Connecticut,Hartford
Delaware,Dover
Florida,Tallahassee

As you can see above, the file contains nothing but text, but when loaded into Excel, the data is presented with each line on its own row and the data separated by the commas into columns of data.

Example CSV file loaded in Microsoft Excel
Example CSV file loaded in Microsoft Excel
Source: BleepingComputer

Using CSVs is a popular method to export data from applications that can then be imported into other programs as a data source, whether that be Excel, a database, password managers, or billing software.

Since a CSV is simply text with no executable code, many people consider these types of files harmless and may be more carefree when opening them.

However, Microsoft Excel supports a feature called Dynamic Data Exchange (DDE), which can be used to execute commands whose output is inputted into the open spreadsheet, including CSV files.

Unfortunately, threat actors can also abuse this feature to execute commands that download and install malware on unsuspecting victims.

CSV file uses DDE to install BazarBackdoor

new phishing campaign spotted by security researcher Chris Campbell is installing the BazarLoader/BazarBackdoor trojan through malicious CSV files.

BazarBackdoor is a stealthy backdoor malware created by the TrickBot group to provide threat actors remote access to an internal device that can be used as a springboard for further lateral movement within a network.

The phishing emails pretend to be “Payment Remittance Advice” with links to remote sites that download a CSV file with names similar to ‘document-21966.csv.’

Also Read: AI Auditing Framework: Draft Guidance for Organizations

BazarBackdoor phishing email
BazarBackdoor phishing email
Source: @phage_nz

Like all CSV files, the document-21966.csv file is just a text file, with columns of data separated by commas, as seen below.

The document-21966.csv​​​​​​​ file opened in a text editor
The document-21966.csv file opened in a text editor
Source: BleepingComputer

The astute reader, though, will notice that one of the data columns contains a strange WMIC call in one of the columns of data that launches a PowerShell command.

This =WmiC| command is a DDE function that causes Microsoft Excel, if given permission, to launch WMIC.exe and execute the provided PowerShell command to input data into the open workbook.

In this particular case, the DDE will use WMIC to create a new PowerShell process that opens a remote URL containing another PowerShell command that is then executed.

The remote PowerShell script command, shown below, will download a picture.jpg file and save it as C:\Users\Public\87764675478.dll. This DLL program is then executed using the rundll32.exe command.

PowerShell executed to download BazarLoader
PowerShell executed to download BazarLoader
Source: BleepingComputer

The DLL file [Tria.ge sample] will install BazarLoader, ultimately deploying the BazarBackdoor and other payloads on the device.

Thankfully, when this CSV file is opened in Excel, the program will spot the DDE call and prompt the user to “enable automatic update of links,” which is marked as a security concern.

Confirm whether DDE should be enabled
Confirm whether DDE should be enabled
Source: BleepingComputer

Even if they enable the feature, Excel will show them another prompt confirming if WMIC should be allowed to start to access the remote data.

Microsoft Excel asking to confirm if WMIC should be executed
Microsoft Excel asking to confirm if WMIC should be executed
Source: BleepingComputer

If the user confirms both prompts, Microsoft Excel will launch the PowerShell scripts, the DLL will be downloaded and executed, and BazarBackdoor will be installed on the device.

While this threat does require users to confirm that the DDE function should be allowed to execute, AdvIntel CEO Vitali Kremez told BleepingComputer that people are falling for the ongoing phishing attack.

“Based on our visibility into the BazarBackdoor telemetry, we have observed 102 actual non-sandbox corporate and government victims over the past two days from this phishing campaign,” Kremez explained in an online discussion.

Once BazarBackdoor is installed, it will allow the threat actors access to the corporate network, which the attacks will use to spread laterally throughout the network.

Ultimately, this could lead to further malware infections, the stealing of data, and the deployment of ransomware.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us