[German]Cyber criminals have found a way to abuse text-based CSV files in order to install BazarBackdoor malware on victims' systems. Security researchers probably came across this fact while monitoring a phishing campaign. The culprit is the ability to access the Dynamic Data Exchange (DDE) function from within Microsoft Excel from CSV files. I'm including the case here in the blog so that administrators in corporate environments can react to it if necessary.
Advertising
CSV files are just text …
The abbreviation CSV stands for Comma Separated Values, and it is a text format for storing or exchanging values. Below is one such example of the contents of a CSV file.
Stunde,Montag,Dienstag,Mittwoch,Donnerstag,Freitag 1,Mathematik,Deutsch,Englisch,Erdkunde,Politik 2,Sport,Deutsch,Englisch,Sport,Geschichte 3,Sport,"Religion (ev., kath.)",Kunst,,Kunst
Excel can export data from a table into to CSV files and also imported again. The above data record from a CSV file is displayed as follows after import into Microsoft Excel.
Since CSV files are purely text-based, the danger of misuse by exporting and importing (at least by me) was considered quite low. But I had made the calculation without Microsoft Excel.
Excel and DDE is causing CDV danger
Unfortunately, it is possible to access the Dynamic Data Exchange (DDE) function from within Microsoft Excel when importing a CSV file. And that opens up a Pandora's box. Chris Campbell, a security researcher from New Zealand has become aware of a new phishing campaign by cyber criminals who install the Bazar loader backdoor onto victim systems.
Advertising
Above tweet shows such a phishing email and indicates that a malicious URL there initiates the BazarBackdoor loader.
More details
The colleagues from Bleeping Computer picked it up in the following tweet and explained it in more detail here.
The file document-21966.csv attached to a phishing email contains a WmiC DDE call that is executed when the CSV file is exported to Excel. This DDE call activates PowerShell, which could then import data into the workbook. In the specific case, an external URL is opened, which then uses another PowerShell command to download a picture.jpg file and save it as:
C:\Users\Public\87764675478.dll
Until the file is downloaded, everything still looks quite harmless – and a normal user will not notice anything. Then, in a further step, the downloaded file 87764675478.dll is executed via rundll32.exe command. This step then downloads BazaarLoader, which then installs BazaarBackdoor and other malicious functions on the victim's system.
The BazarBackdoor is a backdoor that is set up by a malware family to access infected systems. According to this Fraunhofer website, the backdoor is attributed to TrickBot spin-off Anchor. Trend Micro pointed out back in April 2020 that the TrickBot group was using the BazarBackdoor.
The approach outlined above shows a new way to disguise infection routes. More details can be read at Bleeping Computer in this article. The colleagues also write that Microsoft Excel warns the user about the found vulnerabilities when importing the CSV file and again before calling the WmiC function. But there are people who confirm and allow all this. Once the backdoor is installed, the cyber criminals gain access to the system and to the corporate network. There, they can siphon off data via further malware or cause further damage (also via ransomware infection).
