Nested Archive Technique used in Phishing Campaign Delivering the BazarBackdoor

A new phishing campaign is underway that delivers the BazarBackdoor malware using a nested archive method, which involves putting compressed archives within another compressed archive.

Using a single compressed archive is not sufficient to hide malware from many secure email gateway solutions, which have the capability to scan inside archive files. However, many email security solutions do not check any deeper than this, so adding a second compressed file to the first archive file may be sufficient to hide the malicious payload. Security email gateways have a decompression limit or scans may fail because of an unknown archive file.

The phishing campaign was detected by researchers at Cofense. They report that the emails in this campaign claimed to provide a brief for Environmental Day, which took place on July 5. The emails contain an attached zip file – named Brief for – and a rar file – named info.rar. Each of those files contains one or more additional compressed files. The zip file contains a further .zip file and two archive files with an unknown extension (.s01 , .s02). The .rar file contains two further .rar files, and within those is the malicious JavaScript file.

BazarBackdoor phishing campaign. Image source: Cofense

The JavaScript file (.js) will deliver BazarBackdoor if executed. The JavaScript file is heavily obfuscated to make it difficult to secure email gateways to detect the file as malicious. Many gateway solutions fail when there are multiple layers of encryption surrounding a malicious payload.

If allowed to run, the JavaScript downloads a file with a .png extension via an HTTP GET connection. While the file has a standard image extension, the file is actually an executable file that has been mislabeled. During the infection process, the file is relabeled, moved within the file system, and executed.

BazarBackdoor gives the attackers access to the device, and typically Cobalt Strike is downloaded and used for lateral movement. The attackers will attempt to gain access to high-value assets to steal sensitive data. Access can then be sold to other cybercriminal groups, such as ransomware gangs.

Author: NetSec Editor