E-mails pretending to confirm large orders from US lingerie shop Ajour Lingerie & US flower store Rose World are actually spreading the Baza Loader malware.
With Valentine’s Day approaching this weekend, several people have received “recent order” email confirmations for flowers or lingerie.
These emails are actually part of a spear-phishing attack, which ultimately leads recipients to a malicious document that executes the Baza Loader malware.
The BazaLoader downloader, written in C++, has the main function of downloading & executing additional modules. Baza Loader was 1st observed in the wild in April – & since then researchers have observed at least 6 variants, “signalling active & continued development.”
Recently, researchers found multiple Baza Loader campaigns in Jan. & Feb., which have relied heavily on human interaction with different sites, PDF attachments & email lures.
“There were a range of lure & subject topics, including compact storage devices, office supplies, pharmaceutical supplies & sports nutrition, but what stuck out were campaigns that were timely & relevant to the upcoming Valentine’s Day holiday,” said researchers with Proofpoint on Thurs.
“The campaigns were spread across a diverse set of companies & sectors.”
‘Ajour Lingerie’ Phishing Lure
A recent email purported to be from Ajour Lingerie, a “high-quality online lingerie shop” based in New York. The email told recipients that they have completed their order, & to check the invoice to confirm the price of their purchase.
The attached PDF, labelled invoice_NI52224162K.pdf, is interestingly not malicious. It instead references a specific customer-order number & associated purchase items. In 1 example, the “order” totals $410.03, which may send email recipients into a panic.
The invoice also had a website link pretending to be that of Ajour Lingerie. However, the website (ajourlingerie[.]net) is different than the actual website for Ajour Lingerie (ajour.com).
Attackers went into extreme detail to make the fake Ajour Lingerie website look real, from the logo down to the address.
“The websites the user would browse to are fake, but the actors took care to have the physical addresses…match a near-legitimate location,” observed researchers.
“For example, Ajour Lingerie is not located at 1133 50th St, Brooklyn, NY 11219, but this address is in physical proximity to a legitimate website & physical business called the Lingerie Shop.”
The website also had a “contact” page. If users visited this page, they were then given the option to enter the order number in the order ID. The contact page then redirected them to the landing page, which linked to an Excel sheet. That Excel sheet contained macros that, if enabled by the user, would download Baza Loader.
Flowers From ‘Rose World’
A 2nd email used an almost-identical lure, only this time saying to be from Rose World. This email also references an order from Rose World’s online store & includes a PDF attachment outlining an order (in 1 case, totalling $104.58), with references to purchases at a fake Rose World website (roseworld.shop).
“If the user visits the website, navigates to ‘Contact Us’, & enters the order number in the order ID, the site will redirect the user to a landing page,” stated researchers. “This landing page links to & explains how to open the Excel sheet. The Excel sheet contains macros that, if enabled, will download Baza Loader.”
While researchers did not specify what malware gets loaded after this 1st-stage infection, Baza Loader has been noted for its code similarity to TrickBot, & has been associated with Ryuk ransomware infections.
Evolving Malware Loader
Researchers warned that they have observed “a steady growth” in actors using BazaLoader as a 1st-stage downloader. This increase in Baza Loader distribution has run parallel to an active development of the loader, particularly during Oct. 2020. The most recent Valentine’s Day attack notably reflects an attack vector with an increase on human interaction.
“These recent Baza Loader campaigns exemplify affiliate actors leveraging a loader that is increasingly popular & more reliant on human interaction,” they observed. “Further, the social engineering features rely on the timeliness of the Valentine’s Day holiday & the intrinsic user curiosity to see what they may have ordered.”
Happy Valentine’s Day
Both lures are reflective of cyber-criminals horning in on Valentine’s Day – which has been a popular phishing theme over the past years. Last Feb., a malicious email campaign aimed at iPhone owners tried to convince them to download a fake dating app.
In 2018, researchers warned that Necurs botnet activity was spiking as scammers used the network to flood inboxes with promises of companionship, in part of a seasonal wave of Valentine’s Day-themed spam.
“Valentine’s Day, while not abused to the level of other holidays, presents an opportunity for a variety of actors,” warned researchers with Proofpoint. “The FBI Boston field office has posted public warnings of romance scams. While this is not a romance scam, it is an example of social engineering, well-timed with the Valentine’s Day holiday.”