Over the past two weeks, BleepingComputer and others have been tracking a new phishing scheme that targets a company’s employees with fake customer complaints and installs a new backdoor trojan. These emails use subject lines such as “Re: customer complaint in [insert company name]” or “Re: customer complaint for [recipient name].” The messages state that the recipient’s employer has received a complaint about them and that the employee will be fined, with the amount deducted from their salary. The email directs the victim to download a copy of the complaint from a Google Docs link. If the victim downloads and runs the file, which is an executable program disguised as a PDF document, a new backdoor trojan named ‘bazaloader’ is installed which communicates with a Command and Control (C2) server for further instructions. Bazaloader then deploys Cobalt Strike which will give the attacker full control over a victim’s computer and can be used to compromise an entire network.
Analyst Notes
The malicious download contained in the email has a tab that shows “Expand and Preview” and the actual name of the file is “Preview.PDF.exe. Having the .exe file extension means that this is not a pdf but is an executable file. By default, Windows does not show file extensions. It is highly recommended to enable file extensions so that anyone can easily see what type of file it is. It may be difficult for network administrators to block downloads of executable files from Google Docs, since the request and download are encrypted and make use of Google-owned servers, which are usually whitelisted as safe. Monitoring employee workstations for execution of files with extensions such as “pdf.exe” or other signs of potential attacker behavior is an important security control. Endpoint Detection and Response (EDR) tools can help skilled security analysts recognize attacks such as this one and stop them in the early stages, before the entire network is compromised.
