A recently observed phishing campaign is utilizing malicious CSV text files to install the BazarLoader/BazarBackdoor trojan. BazarBackdoor is a backdoor malware created by the TrickBot gang to provide threat actors with remote access to a compromised device which can then be used to move laterally through a corporate network, install more malware, steal data, and deploy ransomware.
The phishing message professes to be “Payment Remittance Advice” and contains links to remote webpages that download a malicious CSV file. When the CSV file is opened in Excel, the application provides a security notice asking users if they want to “enable automatic update of links.” If the user clicks enable, another final notice will confirm this action. If the user confirms both prompts, Excel will launch a PowerShell script that ultimately downloads and executes BazarBackdoor. Despite the security reminders, people have been observed falling for this scam. According to AdvIntel CEO Vitali Kremez, “Based on our visibility into the BazarBackdoor telemetry, we have observed 102 actual non-sandbox corporate and government victims over the past two days from this phishing campaign.” Read more at BleepingComputer.