BazarLoader is a malicious dropper used in multiple campaigns, including the massive wave of attacks targeting US Hospitals with the Ryuk ransomware during October 2020. The primary purpose of BazarLoader is to download and execute additional malware payloads, and one of the key characteristics is its delivery mechanism, which exploits legitimate cloud services like Google Docs to host the malicious payload.
Constantly looking for new ways to launch evasive attacks, the threat actors behind BazarLoader are now exploiting the growing confidence and trust in collaboration services. In a campaign recently discovered by researchers at Sophos, the malware was distributed via malicious spam emails containing links to the cloud storage component of two legitimate services, Slack and BaseCamp, for delivering the malicious payload.
This is yet another example of how collaboration services, considered an essential tool by millions of remote workers worldwide, are abused by cybercriminals, who also prey on the anxiety