A new phishing campaign is underway that targets a company’s employees with fake customer complaints that install a new backdoor used to compromise a network. Many corporate employees have been receiving fake emails pretending to be from their company’s “Corporate Lawyer”. Subjects like “Re: customer complaint in [insert company name]” or “Re: customer complaint for [recipient name]” are being used to trigger employees. They state that the recipient’s employer has received a customer complaint about them. Due to this, the employee will be fined and have the amount deducted from their salary. Have a look at the sample below.
When a user visits this google docs link, they will see a stylized Google Docs document looking like a customer complaint with information on how to download it.
When a user clicks on the “Expand and Preview” link, a file named Prevew.PDF.exe will be downloaded. This file that looks like a PDF is not its true file type. This is a new executable backdoor called ‘bazaloader’ based on the domain used by its command and control server. When a user tries to view the PDF on Google Docs, they will be prompted to “Expand and Preview” it, which will cause a file to be downloaded.
When executed, the malware will inject itself into the legitimate C:\Windows\system32\svchost.exe and then proceed to connect to a remote server command & control server where it will send data and receive further commands or payloads. Researchers suspect that this backdoor is used for downloading Cobalt Strike. Once Cobalt Strike is deployed, the attackers gain full access to the victim’s computer and can use it to compromise the rest of the network to install ransomware or steal data to be used for extortion.