A new phishing campaign is underway that targets a company’s employees with fake customer complaints that install a new backdoor used to compromise a network.
For the past two weeks, BleepingComputer, and others we have spoken with, have been receiving fake emails pretending to be from their company’s “Corporate Lawyer”.
These emails utilize subjects like “Re: customer complaint in [insert company name]” or “Re: customer complaint for [recipient name]” and state that the recipient’s employer has received a customer complaint about them. Due to this, the employee will be fined and have the amount deducted from their salary.
The text of these emails will read similar to the following text:
Good morning
This is corporate lawyer from Bleeping Computer. I tried to reach you in office, but you are not available. When i can call you again?
We will debit your account because of company customer complaint on you, Complaint 4/20 (preview)
Here is a copy of Customer Complaint in Corporate Google Documents: https://docs.google.com/document/d/e/xxx/pub
I will be in Bleeping Computer at 4 PM.
Kate Smith
Corporate LawyerThese emails tell the employee to download and review the complaint from an included Google Docs link as the “Corporate Lawyer” would like to meet with them to discuss it.
When a user visits this link, they will see a stylized Google Docs document pretending to a customer complaint with information on how to download it.
When a user clicks on the “Expand and Preview” link, a file named Prevew.PDF.exe will be downloaded.
This executable, though, is a new backdoor being named ‘bazaloader’ based on the domain used by its command and control server.
Targeting corporate networks
For the past few weeks, many researchers have been seeing a new backdoor being distributed via phishing emails that contain a link to a fake PDF on Google Docs.
As described above, when a user tries to view the PDF on Google Docs, they will be prompted to “Expand and Preview” it, which will cause a file to be downloaded.
In our phishing attack, the name of the file is Preview.PDF.exe and is signed with a certificate from a company named “VB Corporate PTY, LTD”
When executed, the malware will inject itself into the legitimate C:\Windows\system32\svchost.exe and then proceed to connect to a remote server command & control server where it will send data and receive further commands or payloads.
According to security researcher James, this backdoor had been named ‘bazaloader’ as is utilizes the Blockchain-DNS resolver and its associated ‘bazar’ domain for the command and control servers.
In a conversation with James, BleepingComputer was told that this backdoor has been seen deploying Cobalt Strike on infected networks.
Once Cobalt Strike is deployed, the attackers gain full access to the victim’s computer and can use it to compromise the rest of the network to install ransomware or steal data to be used for extortion.
Enable file extensions!
As this phishing campaign is designed to infiltrate the corporate networks of the targeted companies, it is essential that users not open any executables downloaded from Google Docs.
Furthermore, as Windows does not display file extensions by default, it adds further risk to the operating system as users will not realize that the file they downloaded is an executable rather than a PDF.
To be safe, always enable file extensions in Windows so that you can quickly identify what type of file is being downloaded.
The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk. Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.