Customer complaint phishing pushes network hacking malware

A new phishing campaign is underway that targets a company’s employees with fake customer complaints that install a new backdoor used to compromise a network.

For the past two weeks, BleepingComputer, and others we have spoken with, have been receiving fake emails pretending to be from their company’s “Corporate Lawyer”.

These emails utilize subjects like “Re: customer complaint in [insert company name]” or “Re: customer complaint for [recipient name]” and state that the recipient’s employer has received a customer complaint about them. Due to this, the employee will be fined and have the amount deducted from their salary.

Fake customer complaint phishing emails
Fake customer complaint phishing emails

The text of these emails will read similar to the following text:

Good morning
This is corporate lawyer from Bleeping Computer. I tried to reach you in office, but you are not available. When i can call you again?
We will debit your account because of company customer complaint on you, Complaint 4/20 (preview)
 
Here is a copy of Customer Complaint in Corporate Google Documents: https://docs.google.com/document/d/e/xxx/pub
 
I will be in Bleeping Computer at 4 PM.
 
Kate Smith
Corporate Lawyer

These emails tell the employee to download and review the complaint from an included Google Docs link as the “Corporate Lawyer” would like to meet with them to discuss it.

When a user visits this link, they will see a stylized Google Docs document pretending to a customer complaint with information on how to download it.

Phishing landing page
Phishing landing page

When a user clicks on the “Expand and Preview” link, a file named Prevew.PDF.exe will be downloaded.

This executable, though, is a new backdoor being named ‘bazaloader’ based on the domain used by its command and control server.

Targeting corporate networks

For the past few weeks, many researchers have been seeing a new backdoor being distributed via phishing emails that contain a link to a fake PDF on Google Docs.

As described above, when a user tries to view the PDF on Google Docs, they will be prompted to “Expand and Preview” it, which will cause a file to be downloaded.

In our phishing attack, the name of the file is Preview.PDF.exe and is signed with a certificate from a company named “VB Corporate PTY, LTD”.

Code-signed malware
Code-signed malware

When executed, the malware will inject itself into the legitimate C:Windowssystem32svchost.exe and then proceed to connect to a remote server command & control server where it will send data and receive further commands or payloads.

According to security researcher James, this backdoor had been named ‘bazaloader’ as is utilizes the Blockchain-DNS resolver and its associated ‘bazar’ domain for the command and control servers.

In a conversation with James, BleepingComputer was told that this backdoor has been seen deploying Cobalt Strike on infected networks.

Once Cobalt Strike is deployed, the attackers gain full access to the victim’s computer and can use it to compromise the rest of the network to install ransomware or steal data to be used for extortion.

Enable file extensions!

As this phishing campaign is designed to infiltrate the corporate networks of the targeted companies, it is essential that users not open any executables downloaded from Google Docs.

Furthermore, as Windows does not display file extensions by default, it adds further risk to the operating system as users will not realize that the file they downloaded is an executable rather than a PDF.

To be safe, always enable file extensions in Windows so that you can quickly identify what type of file is being downloaded.

Kent

Next Post

The Neanderthal DNA you carry may have surprisingly little impact on your looks, moods | Science

Thu Apr 23 , 2020
Icelanders didn’t get their freckles and occasional red hair from Neanderthal ancestors. PhotoAlto / Alamy Stock Photo By Ann GibbonsApr. 22, 2020 , 11:20 AM If you think you got your freckles, red hair, or even narcolepsy from a Neanderthal in your family tree, think again. People around the world […]