A new phishing campaign has been discovered delivering the BazarBackdoor malware. The campaign is using the multi-compression method to hide the malware as an image file. This method can trick Secure Email Gateways (SEGs) into detecting malicious attachments as clean files.

The new Bazar Backdoor campaign has been active since last month and lured several enterprise recipients using an Environmental Day theme.The email contains ZIP and RAR archives in the attachment. It comprises a JavaScript file that delivers Bazar Backdoor malware to get remote access to the target machines.

The highly obfuscated JavaScript file is used to download a malicious payload with an image extension.This is a growing trend among hackers as it increases the possibility of malicious files avoiding detection.

The nesting of multiple archive types is deliberately used by attackers as it has the possibility to exhaust the SEG’s decompression limit or could be failed due to an unknown archive type.

Once executed, the obfuscated JavaScript downloads a BazarBackdoor payload with a .png extension using an HTTP GET connection. The payload is a .exe file with the wrong extension.

Once being deployed on a victim computer, the malware could download and run the Cobalt Strike, a genuine toolkit created for post-exploitation exercises and spread laterally.

Bazar Backdoor got a makeover this year. The threat actors behind it are getting more sophisticated and using new ways of disseminating the malware. This makes it a worrisome threat and requires continuous monitoring from security agencies.