![]() ![]() The code samples delivered via Basecamp are signed with SSL certificates to masquerade as legitimate software, designed to bypass detection systems. Instead of a link to a credential harvesting page, the user will receive the BazarLoader that eventually injects the BazarBackdoor into running processes. Phishing emails arrive from marketing services, such as SendGrid, that contain a URL to Basecamp. ![]() BazarBackdoor is operated by the WizardSpider group which developed both Trickbot – one of the most infamous banking Trojans and now used as a distribution network for other malware – and the Ryuk ransomware – a serious threat to businesses all over the world, that has made its operators millions in ransom payments. Security researchers recently found that the BazarBackdoor has also begun leveraging Basecamp in its infection chains. Fake Office 365 login page to harvest credentials A Bazar(Backdoor) connection Google cloud services are also abused to host fake login phishing pages instead of a registered domain.įigure 4. As illustrated above, the main service exploited in this way is Basecamp: an online collaboration cloud service that enables users to share files with one another. ![]() This Office 365 phishing campaign leverages multiple trusted services that enable it to bypass security checks.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |