(Virtual) gift for Valentine’s Day? Watch out for malware!

Valentine's Day is coming and with it a new attack with the name of BazaLoader , a malware able to download additional modules once it arrives in the final device thanks to an order sending communication from a florist: a perfect gift!

We have already talked in another article about social engineering and how insidious it is precisely because it studies the weaknesses of the users to set the best traps that cannot be escaped. Valentine's Day is the feast of lovers and a surprise is the most welcome thing to receive from your partner or partner: maybe a bouquet of flowers directly at home!

The holidays bad teachers

Unfortunately, the holiday periods or holidays during the year are seen as particularly favorable by the attackers . Probably the most free time and maybe the tiredness accumulated by so many days of work make us live these days more lightly. For example by reading the e-mails we receive less carefully or giving less importance to their contents. As usual, however, most social attacks are hidden behind the most trivial carelessness that make malicious software get the better of our systems.

In its analysis Positive Technology highlights a marked increase in the amount of attacks close to the holidays . In particular, the highest peaks are recorded in the third week of October, close to Halloween and between the second and third week of December, in view of the arrival of Christmas.

Attack trend during the fourth quarter of 2019.
The curve given by the sum of all attacks in the fourth quarter of 2019 is grayed out. The highest values ​​are found around holidays such as Halloween and just before Christmas.

Valentine's Day is not saved! Although much less inflated than the classic calendar parties, it is always a good time to inadvertently hit millions of couples in love. The excuses, as we can well imagine, are many and a gift is always welcome. With this criterion, attackers can create ad-hoc emails to be sent before the arrival of February 14th.

But phishing isn't the only thing that reigns supreme. Unfortunately, the FBI increasingly warns against scammers looking for a love story on the web. With a veil of romance they try to catch young prey for economic gains. Valentine's Day is a great opportunity to find a soul mate and the state of isolation generated by the Covid-19 pandemic has only increased its power.

BazaLoader and Valentine's Day

Let's go back to our love malware and try to understand how it deceives us. The attack chain originates from an email from a flower or lingerie shop with a description of an order on our behalf. The email contains a PDF file with an identification number and all the information on a possible shipment in the following days. The supplier's site also offers the possibility of suigre the status of the order. However, when you get to the search page, a download will start and in the meantime we will be faced with a guide on how to open the file correctly.

The downloaded Excel actually contains a very dangerous macro. A macro is an action or set of actions that can be performed in an unlimited way . Macros are typically disabled in Office, precisely because of their unpredictability, especially if we are unable to control the author of the document. Instead, our bad guys in their guide tell us just how to activate the Excel spreadsheet macros so the actual Trojan, BazaLoader, can be downloaded for free.

BazaLoader, the Valentine's malware that can download add-ons to our devices.
Via a fake Valentine's Day order in the form of a gift, the malware arrives on our PCs with a clever social engineering technique.

Similar malware around the net

BazaLoader is written in C ++ but the ProofPoint researchers do not let us understand what is downloaded after this first stage of infection. In fact, this malware is in fact just the tip of the iceberg of a potentially much larger attack . We still know little of what is underneath also because it is only filmed on the net in a campaign around October and now in view of the festival of lovers. However, the experts noticed a similarity in the code to another Trojan that mainly carried ransomware: TrickBot .

We will continue to monitor the evolution of this downloader which, indeed, relies too much on user experience to be effective. What is certain is that the holidays help attackers who exploit our desires and curiosity to know the potential gifts of the suitors.

In conclusion, therefore, we always remain vigilant when we open emails or documents of which we are not sure and in case we make a call to the sender (real or alleged): it could save us from more serious troubles!

The (virtual) gift item for Valentine's Day? Watch out for malware! comes from Tech CuE .