Researchers have spotted a new phishing campaign you should be aware of
What sets this one apart is that the hackers are using a lowly but specially crafted CSV file to infect machines. They are installing the BazarBackdoor malware. If you're not familiar with the term CSV stands for "Comma Separated Values" and it's a text file format that can be loaded into Excel.
If you open the file in a text editor, you'll simply see alphanumeric values separated by commas with the first line generally being the headers for the spreadsheet. Open the same file in Excel and it will separate the data into neat rows and columns.
CSV files are popular because they make it relatively easy to export data from one application and import it into another. Since the files are text-only most people consider them to be relatively harmless and are generally not all that cautious when opening them.
Excel used DDE to execute commands in CSV Files
Microsoft Excel supports a feature called Dynamic Data Exchange (DDE) which can be used to execute commands whose output is input into the open spreadsheet including CSV files.
Hackers are always on the lookout for new angles to play and have naturally begun to abuse this feature. They execute commands that download malware on the devices of unsuspecting victims.
BazarBackdoor is a stealthy malware strain created by the TrickBot group. Its main purpose as the name suggests is to provide ongoing remote access to an internal device that can be used as a springboard for further lateral movement within a network.
How does the hack work?
The current campaign is centered around emails that pretend to be "Payment Remittance Advice" emails with links to remote sites that download a CSV file with innocuous names like "document-2196t6.csv."
If this file is opened in notepad or word pad and examined, at first glance, it will appear to be nothing more than a run-of-the-mill CSV file. Unfortunately, embedded inside of it is a Windows Management Instrumentation Command (WMIC) call in one of the columns of data that launches a PowerShell command and that's enough. That's all the hackers need to install the malware.
My perspective
As always vigilance is your best defense against this sort of thing. Remind your employees not to open any emails from unknown or untrusted sources and not to download or open any attachments from those emails.
As Edward Murrow used to say during the bombing raids
that one could hear at the end of his radio news broadcasts:
"Good night, and good luck"
By Denis Wilson
Thanks for reading this post. I always take into mind that your time and attention are precious. And these posts need to be timely, to the point, and short.
For more tips on thriving with small business technology, check out the other blog posts at DWPIA Blogs. You can also find me on LinkedIn, Facebook, and Twitter.
I am also a published author and speaker on cloud computing, work-at-home, and cybersecurity. I work extensively with business and professional associations to provide free small business technology education programs.
Contact me if you would like me to speak to your association
