Scammers Use Fake DMCA Complaints, DDoS Threats to Deploy BazaLoader Malware

 

Threat actors responsible for the BazaLoader malware designed a brand-new bait to trick website owners into opening malicious files: fake notifications concerning the internet site being engaged in distributed denial-of-service (DDoS) assaults.

The notifications contain a legal risk and a file stored in a Google Drive directory that supposedly provides evidence of the source of the strike. 

Phony lawful threats 

The DDoS theme is a variation of another bait, a Digital Millennium Copyright Act (DMCA) infringement complaint, link to data that allegedly includes documentation of copyright infringement.

Brian Johnson, a website developer, and designer posted last week concerning his two clients receiving legal notifications about their websites being actually hacked to operate DDoS assaults versus a major company (Intuit, Hubspot). The sender was threatened with a lawsuit unless the recipients failed to “immediately clean” their website of the malicious files that assisted in deploying the DDoS attack. 

“I have shared the log file with the recorded evidence that the attack is coming from [example.com] and also detailed guidelines on how to safely deal with, find and clean up all malicious files manually in order to eradicate the threat to our network,” read the fake alert. 

The malicious sender also included a link to a file hosted in Google Drive claiming to provide evidence of the DDoS attack and its origin.

Earlier this year in April, Microsoft researchers warned about this technique used by attackers to deliver IcedID. At the time, only the lure and the payload were different. It was Matthew Mesa, a security researcher at Proofpoint, who unearthed that the campaign is sending out phishing emails that drop the BazaLoader malware.

Cybersecurity website BleepingComputer has received many of these breach alerts over the past few months with accusations of using shielded pictures without the owner’s consent. The notification provides a link to a file that supposedly lists the pictures used without authorization. The data is hosted in Google’s Firebase cloud storage. 

To make the matter seem urgent, the sender additionally points out that the website’s owner is “possibly be liable for statutory damage as high as $120,000.” However, it is all a stunt to deliver malware.

Cybersecurity researcher Brad Duncan analyzed the file and spotted it was a ZIP archive with JavaScript that gets the BazaLoader DLL, a backdoor associated with the TrickBot gang that generally leads to a ransomware infection. The malware then reaches its command and control (C2) server and gets Cobalt Strike, a penetration-testing tool largely exploited by attackers to maintain persistence and supply other payloads. 

The fake notifications are quite convincing and can increase the chances of receiving a "safe" mark from email security solutions. It is important to be vigilant and look for signs of malicious intent, such as incomplete contact information, poor grammar, and suspicious links to avoid falling into this social engineering trap, researchers advised.