BazarLoader Attacks Use Compromised Software Installers

Researchers have observed the BazarLoader information stealer, known for providing initial access for various ransomware affiliates, expanding its delivery methods to now include the use of compromised software installers and the abuse of ISO files.

The loader, which was first observed in April 2020, primarily acts as a delivery mechanism for second-stage malware, including several high-profile ransomware families like Ryuk, Conti and Zeppelin. Over the past year, researchers have observed an increase in BazarLoader (along with Trickbot) deliveries, which they said have likely led to a corresponding increase in Conti ransomware attacks since June.

“The number of arrival mechanism variations used in BazarLoader campaigns continue to increase as threat actors diversify their attack patterns to evade detection,” said Ian Kenefick, threat analyst with Trend Micro, in a Tuesday analysis.

Previously, BazarLoader relied on a unique delivery mechanism that researchers with Proofpoint said they observed since February, which leveraged a combination of emails and phone-based “customer service representatives” for carrying out attacks. Here, spam emails instructed victims to call a phone number, which led to an attacker-controlled call center that gave victims a URL and directed them to download a malicious file. This tactic also helped attackers bypass email protection filters that would block out malicious links or attachments. Researchers with Palo Alto Network’s Unit 42 team in July also observed BazarLoader spread via a copyright violation-themed campaign using ZIP archives, and through English-language emails sent by the TA551 threat group.

In new attacks, which targeted victims in the Americas, researchers observed BazarLoader attackers expanding their delivery methods to use legitimate, compromised installers – versions of the VLC media player and TeamViewer remote access and remote control software – and convincing victims to download them. After these installers loaded, they dropped a BazarLoader executable, which is another notable difference from recent BazarLoader delivery methods that instead relied on dynamic link libraries (DLLs).

“While the…