Phishing Campaign Uses Employment Termination Lure to Deliver Bazar and Buer Malware

HIPAA Journal

Steve Alder

A new phishing campaign is being conducted using the TrickBot botnet which delivers the Bazar backdoor and Buer loader malware. The campaign was detected by researchers at Area 1 Security and has been running since early October.

The Bazar backdoor is used to gain persistent access to victims’ networks, while the Buer loader is used to download additional malicious payloads. Previously, Buer has been used to deliver ransomware payloads such as Ryuk and tools such as CobaltStrike.

Area 1 Security researchers detected two email lures in this campaign. One is a fake notification about termination of employment and the other a fake customer compliant. The employment termination email appears to have been sent by an authority figure in the head office of the company being targeted and states that the individual has been terminated. Further information on the termination and payout are provided in a document that appears to be hosted on Google Docs.

If the link is clicked, the user will...

Get the Morning Update

© 2020 by HealthcareCISO.