A new phishing campaign is underway that targets a company’s employees with fake customer complaints that install a new backdoor used to compromise a network.
For the past two weeks, BleepingComputer, and others we have spoken with, have been receiving fake emails pretending to be from their company’s “Corporate Lawyer”.
These emails utilize subjects like “Re: customer complaint in [insert company name]” or “Re: customer complaint for [recipient name]” and state that the recipient’s employer has received a customer complaint about them. Due to this, the employee will be fined and have the amount deducted from their salary.
The text of these emails will read similar to the following text:
Good morning This is corporate lawyer from Bleeping Computer. I tried to reach you in office, but you are not available. When i can call you again? We will debit your account because of company customer complaint on you, Complaint 4/20 (preview) Here is a copy of Customer Complaint in Corporate Google Documents: https://docs.google.com/document/d/e/xxx/pub I will be in Bleeping Computer at 4 PM. Kate Smith Corporate Lawyer
These emails tell the employee to download and review the complaint from an included Google Docs link as the “Corporate Lawyer” would like to meet with them to discuss it.
When a user visits this link, they will see a stylized Google Docs document pretending to a customer complaint with information on how to download it.
When a user clicks on the “Expand and Preview” link, a file named Prevew.PDF.exe will be downloaded.
This executable, though, is a new backdoor being named ‘bazaloader’ based on the domain used by its command and control server.
Targeting corporate networks
For the past few weeks, many researchers have been seeing a new backdoor being distributed via phishing emails that contain a link to a fake PDF on Google Docs.
As described above, when a user tries to view the PDF on Google Docs, they will be prompted to “Expand and Preview” it, which will cause a file to be downloaded.
In our phishing attack, the name of the file is Preview.PDF.exe and is signed with a certificate from a company named “VB Corporate PTY, LTD”.
When executed, the malware will inject itself into the legitimate C:Windowssystem32svchost.exe and then proceed to connect to a remote server command & control server where it will send data and receive further commands or payloads.
In a conversation with James, BleepingComputer was told that this backdoor has been seen deploying Cobalt Strike on infected networks.
Once Cobalt Strike is deployed, the attackers gain full access to the victim’s computer and can use it to compromise the rest of the network to install ransomware or steal data to be used for extortion.
Enable file extensions!
As this phishing campaign is designed to infiltrate the corporate networks of the targeted companies, it is essential that users not open any executables downloaded from Google Docs.
Furthermore, as Windows does not display file extensions by default, it adds further risk to the operating system as users will not realize that the file they downloaded is an executable rather than a PDF.
To be safe, always enable file extensions in Windows so that you can quickly identify what type of file is being downloaded.