BazarLoader Downloader now uses social engineering techniques and popular products used in many organizations, this was discovered in two separate incidents. Initially, the campaign was in action in April 2020, since then security researchers have found six different variants of the malware.
According to researchers at Sophos, BazarLoader in the initial campaign targeted employees of big organizations with emails offering important information regarding customer service, invoices, payroll, or contracts. The links used in the email were hosted on BaseCamp or Slack cloud storage and looked genuine.
During the second campaign, the attackers used spam messages. The email message lures users for a free trial of online service, about to expire. The victim is required to provide a telephone number to avoid expiration. On calling the other person asks the victim to visit a malicious website address, it sends a malicious Office document.
BazarLoader Downloader is linked with the TrickBot operators as it also uses similar C2 infrastructures. Also, both the malware were spotted using the same IP address for communication that was used in previous attacks.
Organizations employ adequate security measures, keep their systems updated to stay protected.