Researchers have spotted a new phishing campaign you should be aware of.
What sets this one apart is that the hackers are using a lowly but specially crafted CSV file to infect machines. They are installing the BazarBackdoor malware. If you're not familiar with the term CSV stands for "Comma Separated Values" and it's a text file format that can be loaded into Excel.
If you open the file in a text editor, you'll simply see alphanumeric values separated by commas with the first line generally being the headers for the spreadsheet. Open the same file in Excel and it will separate the data into neat rows and columns.
CSV files are popular because they make it relatively easy to export data from one application and import it into another. Since the files are text only most people consider them to be relatively harmless and are generally not all that cautious when opening them.
Microsoft Excel supports a feature called Dynamic Data Exchange (DDE) which can be used to execute commands whose output is inputted into the open spreadsheet including CSV files.
Hackers are always on the lookout for new angles to play and have naturally begun to abuse this feature. They execute commands that download malware on the devices of unsuspecting victims.
BazarBackdoor is a stealthy malware strain created by the TrickBot group. It's main purpose as the name suggests is to provide ongoing remote access to an internal device that can be used as a springboard for further lateral movement within a network.
The current campaign is centered around emails that pretend to be "Payment Remittance Advice" emails with links to remote sites that download a CSV file with innocuous names like "document-2196t6.csv."
If this file is opened in notepad or word pad and examined, at first glance it will appear to be nothing more than a run of the mill CSV file. Unfortunately, embedded inside of it is a WMIC call in one of the columns of data that launches a PowerShell command and that's enough. That's all the hackers need to install the malware.
As always vigilance is your best defense against this sort of thing. Remind your employees not to open any emails from unknown or untrusted sources and not to download or open any attachments from those emails.
________________________________________________________________________________________________________
"Fortune Favors Who Value Time over Money!"
Tech issues taking up your Time?
"TeQ I.Q. Makes Your Technology Simple and Easy"
Do you have Tech Frustrations like your Computer, Internet, Phone, Cellphone, Camera, TV, Car?
"We Take Away Your Tech Frustrations and Give You the Free Time You Deserve!"
Call Robert to ask all your Technology questions.
We are giving a Free in Person TeQ Seminar at our office in La Mesa every Wednesday from 12pm-1pm and a Free TeQ Support Q&A from 1pm-2pm. Go to https://www.teqiq.com/events for our upcoming Events and https://www.teqiq.com/seminars for info on each Seminar.
For Free Consultation Call Now Robert Black at (619) 255-4180 or visit our website https://www.teqiq.com/
Chase Bank and Others Trust TeQ I.Q. with their IT and TeQnology so can you!
