BaseCamp and Slack Under Attack by BazarLoader Malware

 Cybercriminals are using BazarLoader malware to attack Slack and BaseCamp users with social engineering tactics. Threat actors have combined it with a phone call component to increase the number of victims.

What is Happening?

Sophos issued a security warning last Thursday warning companies and consumers about BazarLoader in which they said, "With a focus on targets in large enterprises, BazarLoader could potentially be used to mount a subsequent ransomware attack."

In an attempt to trick users of Slack and BaseCamp, criminals sent out a vast number of emails using both the employees' names and that of their employer. The emails contained links to malware (BazarLoader). The email subjects range from invoices, payroll, contracts, and customer service inquiries to get users to take the bait and download the files. The malware, once downloaded, instantly infects the user's machine.

According to Threatpost, "If a target clicks on the link, BazarLoader downloads and executes on the victim's machine. The links typically point directly to a digitally signed executable with an Adobe PDF graphic as its icon. The files usually perpetuate the ruse, with names like presentation-document.exe, preview-document-[number].exe or annualreport.exe."

Social Engineering Tactics Used

In this campaign, attackers are using various social engineering tactics to increase the possibility of snagging victims.

One technique they used is to ask about a free subscription which will soon require payment. The message includes a voice phone number that the user must call to extend their free trial or stop the purchase. Those who did call the number were given a URL over the phone to visit that was, of course, infected with the same BazarLoader malware.

In some cases, users reported that scammers sent them an Office document that demanded that macros be turned on when opened. Sometimes users are sent a link to a malicious website or the email includes downloadable files. Either way, the result is the same. Sometimes the links are shortened with a service like Bitly to appear more legitimate, and sometimes the entire URL is shown. As Sophos said,

"The attackers prominently displayed the URL pointing to one of these well-known legitimate websites in the body of the document, lending it a veneer of credibility."

Sometimes the messages appear to be legitimate and other times; they are clearly fake. Even so, many recipients are clicking and downloading despite experts' warnings never to do so.

Sophos mentioned that

"One spam sample even attempted to disguise itself as a notification that the employee had been laid off from their job."

What Can Be Done About This Threat?

Sophos explains that "The malware, only running in memory, cannot be detected by an endpoint protection tool's scans of the filesystem, as it never gets written to the filesystem. The files themselves don't even use a legitimate .DLL file suffix because Windows doesn't seem to care that they have one; The OS runs the files regardless."

So, what can users do?

Before downloading any attachments or clicking links, even when it appears to come from your employer, pause first and verify that it is legitimate. You should contact the person mentioned through your normal channel, like an IM or email address that you have for them. Do not respond directly to the email; your response will only go to the scammer. 

As always, never click links in email or text unless you are absolutely sure you know who it came from. Don't be tricked by emergency or threatening messages that pressure you to click or download.  Other tips to stay safe include:

• Always keep your device protected by antivirus software.
• Use strong passwords and never reuse them on multiple websites.
• Turn on two-factor authentication for all your apps, including Slack and BaseCamp.