Threat Research

Malicious CSV text files used to install BazarBackdoor malware

Securonix

A phishing campaign uses specially crafted CSV text files to install the BazarLoader/BazarBackdoor malware by abusing Excel’s Dynamic Data Exchange (DDE) feature. The attack chain pivots through WMIC and PowerShell to download and execute a DLL, enabling remote access and potential lateral movement on victims’ networks. #BazarLoader #BazarBackdoor #TrickBot #DynamicDataExchange #PowerShell #WMIC

Keypoints

  • Phishing emails pretend to be “Payment Remittance Advice” and link to remote sites that deliver a CSV file.
  • The CSV contains a DDE-enabled payload that triggers a WMIC-based PowerShell command to run additional code.
  • A remote PowerShell script downloads a DLL and uses rundll32.exe to execute it, installing BazarLoader/BazarBackdoor.
  • Excel prompts users to enable DDE and to allow WMIC to start, creating a user-assisted execution flow.
  • BazarBackdoor provides threat actors remote access for lateral movement and potential further malware deployment.
  • Security researcher telemetry indicates substantial victim counts in a short period (e.g., 102 corporate/government victims).

MITRE Techniques

  • [T1566.002] Phishing: Spearphishing Link – Delivery via emails with links to remote sites that download a CSV file. “The phishing emails pretend to be ‘Payment Remittance Advice’ with links to remote sites that download a CSV file.”
  • [T1059.001] PowerShell – The remote PowerShell script is downloaded and executed as part of the payload chain. “The astute reader… will notice that one of the data columns contains a strange WMIC call in one of the columns of data that launches a PowerShell command.”
  • [T1047] Windows Management Instrumentation (WMI) – DDE flow uses WMIC to start PowerShell and run commands. “This =WmiC| command is a DDE function that causes Microsoft Excel, if given permission, to launch WMIC.exe and execute the provided PowerShell command to input data into the open workbook.”
  • [T1218.011] Signed Binary Proxy Execution: Rundll32 – Executing a downloaded DLL via rundll32. “This DLL program is then executed using the rundll32.exe command.”
  • [T1105] Ingress Tool Transfer – Downloading and executing payload from a remote script (payload delivery). “The remote PowerShell script command… will download a picture.jpg file and save it as C:UsersPublic87764675478.dll.”

Indicators of Compromise

  • [File] document-21966.csv – CSV file used in the phishing payload
  • [File] C:UsersPublic87764675478.dll – DLL downloaded and later executed

Read more: https://www.bleepingcomputer.com/news/security/malicious-csv-text-files-used-to-install-bazarbackdoor-malware/