Threat Labs Cloud Threats Memo: Malicious Campaigns Taking Advantage of Well-known Collaboration Apps
Apr 20 2021

Cloud Threats Memo: Malicious Campaigns Taking Advantage of Well-known Collaboration Apps

BazarLoader is a malicious dropper used in multiple campaigns, including the massive wave of attacks targeting US Hospitals with the Ryuk ransomware during October 2020. The primary purpose of BazarLoader is to download and execute additional malware payloads, and one of the key characteristics is its delivery mechanism, which exploits legitimate cloud services like Google Docs to host the malicious payload.

Constantly looking for new ways to launch evasive attacks, the threat actors behind BazarLoader are now exploiting the growing confidence and trust in collaboration services. In a campaign recently discovered by researchers at Sophos, the malware was distributed via malicious spam emails containing links to the cloud storage component of two legitimate services, Slack and BaseCamp, for delivering the malicious payload.

This is yet another example of how collaboration services, considered an essential tool by millions of remote workers worldwide, are abused by cybercriminals, who also prey on the anxiety and uncertainty surrounding the victim. In this BazarLoader campaign, an email disguised itself as a notification that the employee had been laid off.

How Netskope mitigates this threat

Slack and BaseCamp are among the thousands of cloud services for which the Netskope Next Gen SWG can enforce granular access control policies. If these cloud apps are not part of the corporate perimeter, Netskope can prevent access to the entire service, or just block potentially dangerous activities (such as download). In the case of Slack, and dozens of additional services, the Netskope Next Gen SWG can go even further, being able to apply instance-based policies (for example “Corporate Slack” vs. “Non-Corporate Slack”). Additionally, the multi-layer threat protection engine is able to scan every download from Slack and BaseCamp (and thousands of cloud storage services) to prevent any abuse aimed to deliver malware into the victim’s endpoint.

Stay safe!

author image
About the author
Paolo supports Netskope’s customers in protecting their journey to the cloud and is a security professional, with 20+ years experience in the infosec industry. He is the mastermind behind hackmageddon.com, a blog detailing timelines and statistics of all the main cyber-attacks occurred since 2011. It is the primary source of data and trends of the threat landscape for the Infosec community.
Paolo supports Netskope’s customers in protecting their journey to the cloud and is a security professional, with 20+ years experience in the infosec industry. He is the mastermind behind hackmageddon.com, a blog detailing timelines and statistics of all the main cyber-attacks occurred since 2011. It is the primary source of…