Over the past two weeks, BleepingComputer and others have been tracking a new phishing scheme that targets a company’s employees with fake customer complaints and installs a new backdoor trojan. These emails use subject lines such as “Re: customer complaint in [insert company name]” or “Re: customer complaint for [recipient name].” The messages state that the recipient’s employer has received a complaint about them and that the employee will be fined, with the amount deducted from their salary. The email directs the victim to download a copy of the complaint from a Google Docs link. If the victim downloads and runs the file, which is an executable program disguised as a PDF document, a new backdoor trojan named ‘bazaloader’ is installed which communicates with a Command and Control (C2) server for further instructions. Bazaloader then deploys Cobalt Strike which will give the attacker full control over a victim’s computer and can be used to compromise an entire network.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased