A new phishing campaign is underway that delivers the BazarBackdoor malware using a nested archive method, which involves putting compressed archives within another compressed archive.
Using a single compressed archive is not sufficient to hide malware from many secure email gateway solutions, which have the capability to scan inside archive files. However, many email security solutions do not check any deeper than this, so adding a second compressed file to the first archive file may be sufficient to hide the malicious payload. Security email gateways have a decompression limit or scans may fail because of an unknown archive file.
BazarBackdoor gives the attackers access to the device, and typically Cobalt Strike is downloaded and used for lateral movement. The attackers will attempt to gain access to high-value assets to steal sensitive data. Access can then be sold to other cybercriminal groups, such as ransomware gangs.