Bazar Valentines

A Baza Valentine’s Day

In 2020, Proofpoint observed an increase in BazaLoader campaign volume peaking in October. During that time, we observed specific campaigns correlated to public reports of affiliate campaigns delivering BazaLoader and associated with Ryuk ransomware infections. Notably, in January 2021, Proofpoint researchers observed a few of BazaLoader campaigns leveraging Valentine's Day themes such as flowers and lingerie. The attack chains required an unusual amount of human interaction before a payload was delivered. While we track a fair amount of BazaLoader delivered by TA800 and TA572, these campaigns are not associated with either TA800 or TA572 and are likely leveraged by other affiliates. 

BazaLoader Origin 

BazaLoader is a downloader written in C++ whose primary function is to download and execute additional modules. It was first observed in the wild in April 2020 and since has steadily been adopted by more actors. Proofpoint has observed at least six variants of Bazaloader signaling active and continued development. One of the earliest BazaLoader variants Proofpoint researchers identified used ".bazar" top-level domains for command-and-control communication. The ".bazar" TLDs are associated with cryptocurrency DNS named Emercoin using Blockchain services reported in early April 2020. Today, we do not see the same association to cryptocurrency infrastructure, but it is relevant to its provenance.  

Valentine’s Day  

Proofpoint researchers have spotted multiple BazaLoader campaigns in January and February 2021 involving the tactic of heavily relying on human interaction with different sites, PDF attachments, and email lures. There were a range of lure and subject topics, including compact storage devices, office supplies, pharmaceutical supplies, and sports nutrition, but what stuck out were campaigns that were timely and relevant to the upcoming Valentine’s Day holiday. The campaigns were spread across a diverse set of companies and sectors.   

Valentine’s Day, while not abused to the level of other holidays, presents an opportunity for a variety of actors. The FBI Boston field office has posted public warnings of romance scams. While this is not a romance scam, it is an example of social engineering well-timed with the Valentine’s Day holiday.

Infection Chain 

 Figure 1: Infection Chain 

The infection chain is consistent in the latest campaigns. The websites the user would browse to are fake, but the actors took care to have the physical addresses in the below images match a near-legitimate location. For example, Ajour Lingerie is not located at 1133 50th St, Brooklyn, NY 11219, but this address is in physical proximity to a legitimate website and physical business called the Lingerie Shop. 

 

Figure 2: physical address to digital website 

Lingerie at Ajour 

This campaign delivered PDF attachments that references a specific customer order number and associated purchased items which entices the recipient to go to the Ajour Lingerie website. If the user visits the website and navigates to the "Contact Us" page, they are then given the option to enter the order number in the order ID. If entered, the contact page then redirects the user to the landing page that links to and explains how to open the Excel sheet. The Excel sheet contains macros that, if enabled by the user, will download BazaLoader.  

ShapeShape Figure 3: Email Lure 

 

Figure 4: Ajour Lingerie 

Figure 5: Landing Page