A new phishing campaign has been discovered delivering the BazarBackdoor malware. The campaign is using the multi-compression method to hide the malware as an image file. This method can trick Secure Email Gateways (SEGs) into detecting malicious attachments as clean files.
The nesting of multiple archive types is deliberately used by attackers as it has the possibility to exhaust the SEG’s decompression limit or could be failed due to an unknown archive type.
Once being deployed on a victim computer, the malware could download and run the Cobalt Strike, a genuine toolkit created for post-exploitation exercises and spread laterally.
Bazar Backdoor got a makeover this year. The threat actors behind it are getting more sophisticated and using new ways of disseminating the malware. This makes it a worrisome threat and requires continuous monitoring from security agencies.