March 14 — There’s a new social engineering technique that’s spreading malware, and many people are falling for it. Here’s how it works and how you can avoid it.
Many people in the cyber security industry know that e-mail is one of the most popular attack vectors used by criminals. However, threat actors are now using website contact forms to spread BazarLoader malware. Because this social engineering scam hasn’t had much spotlight in the news, people are less cautious when encountering this scheme.
What is BazarLoader?
This malware is a stealthy form of malware that’s used as a first-stage infector. Once a user installs it onto a computer, it downloads additional malware. BazarLoader has been used in the past for malware such as Conti ransomware, Ryuk ransomware, and TrickBot.
What makes BazarLoader so resilient is the fact that it uses the EmerDNS system, which consists of a blockchain where DNS records are decentralized – so that no one except the person who possesses the domain’s blockchain private key is able to shut down the malware.
Using contact forms to spread malware
In this scheme, cyber criminals input information via a company’s website contact form. Once someone on the other end answers via email, the threat actor declares his or her cover identity before using other social engineering methods to persuade the victim to download a malicious file which contains the BazarLoader malware variant.
What makes this scheme so effective?
We’ve all heard of phishing e-mail scams, so you’re going to be more suspicious by default and will be pay close attention to grammar, spelling, and lingo when reading an e-mail.
However, in the case of contact forms, it is the employee’s job to respond to whomever put in the request via the contact form. As a result, the employee may feel more in control since he or she is the one taking action. This is the psychology behind what makes this scheme so powerful.
How do you avoid this attack?
Be careful when receiving a file from an unknown source. First, analyze the file with a security product that goes beyond signature-base detection. Second, analyze the file in a sandbox. Third, open the file in a virtual machine, so that once the file is run and the analysis is done, you can bring the virtual machine back to its pre-launch date.