BazarLoader Adds Compromised Installers, ISO to Arrival and Delivery Vectors

We continue monitoring the campaigns using information stealer BazarLoader (detected by Trend Micro as TrojanSpy.Win64.BAZARLOADER, TrojanSpy.Win64.BAZARLOADER, and Backdoor.Win64.BAZARLOADER). While InfoSec forums have noted the spike in detections during the third quarter, we noticed two new arrival mechanisms included in the existing roster of delivery techniques that malicious actors abused for data theft and ransomware.

One of the methods involves the use of compromised software installers as malicious actors bundle BazarLoader with legitimate programs. The second method involves the use of an ISO file with a Windows link (LNK) and dynamic link library (DLL) payload. We observed the Americas as the region with the highest counts of BazarLoader. For more technical analysis and insights into BazarLoader’s infection chains and campaigns, read our technical brief here.

Read more…
Source: Trend Micro