Two new, and relatively complex, phishing campaigns have been spotted using popular online collabotation tools to lure victims from high-value targets into downloading a malicious loader.
According to researchers from Sophos, criminals started using Slack and BaseCamp to target specific people within organizations and get them to download the BazarLoader malware.
A loader is a gateway program that, when installed, allows the attackers to install the actual malware in the second stage of the attack. At that point, they could install whatever they wanted, from ransomware to data miners and everything in between.
The tactics are relatively complex and convoluted, Sophos explained. In the first one, criminals would send messages claiming to have important information about payroll, contracts, invoices or customer service inquiries. In some cases, even about layoffs. They used Slack and BaseCamp to host the malware there, making it look legitimate.
Sophos believes this is also why the campaign lasted for such a short period of time (just a few weeks, allegedly), as both Slack and BaseCamp moved in quickly to remove the malware from their servers.
As soon as the victims opened the document that came with the message, or clicked on the corresponding link, they’d be infected.
The second tactic was even more complex. In it, attackers would text the victims and tell them that the free trial for the service they had signed up for recently was about to expire. They were warned that the renewal is expensive and that they should opt-out.
At that point, the victims would receive a phone number that they needed to call in order to cancel the fictive subscription. On the call, the victims would get a web address where they were invited to click the “Unsubscribe” button. However, the button would actually deliver a malicious Office document, carrying the BazarLoader.
Sophos’ analysts believe the attackers were simply experimenting with new tactics.
To stay safe, they recommend the usual – always be suspicious of links and attachments you get, and never open anything without double-checking the legitimacy of the sender, first.