BazarLoader is a malicious dropper used in multiple campaigns, including the massive wave of attacks targeting US Hospitals with the Ryuk ransomware during October 2020. The primary purpose of BazarLoader is to download and execute additional malware payloads, and one of the key characteristics is its delivery mechanism, which exploits legitimate cloud services like Google Docs to host the malicious payload.
Constantly looking for new ways to launch evasive attacks, the threat actors behind BazarLoader are now exploiting the growing confidence and trust in collaboration services. In a campaign recently discovered by researchers at Sophos, the malware was distributed via malicious spam emails containing links to the cloud storage component of two legitimate services, Slack and BaseCamp, for delivering the malicious payload.
This is yet another example of how collaboration services, considered an essential tool by millions of remote workers worldwide, are abused by cybercriminals, who also prey on the anxiety and uncertainty surrounding the victim. In this BazarLoader campaign, an email disguised itself as a notification that the employee had been laid off.
How Netskope mitigates this threat
Slack and BaseCamp are among the thousands of cloud services for which the Netskope Next Gen SWG can enforce granular access control policies. If these cloud apps are not part of the corporate perimeter, Netskope can prevent access to the entire service, or just block potentially dangerous activities (such as download). In the case of Slack, and dozens of additional services, the Netskope Next Gen SWG can go even further, being able to apply instance-based policies (for example “Corporate Slack” vs. “Non-Corporate Slack”). Additionally, the multi-layer threat protection engine is able to scan every download from Slack and BaseCamp (and thousands of cloud storage services) to prevent any abuse aimed to deliver malware into the victim’s endpoint.