Nowadays, the phishing campaigns are increasing rapidly, and now the campaigns are targeting the Basecamp Cloud Hosting to Harvesting Office 365 credentials. According to the reports, the threat actors are actively harvesting office 365 credentials by leveraging the Basecamp Cloud Hosting.
Basecamp is a web-based project administrative solution that enables people to collude, chat with each other, organize documents, and share files.
The cybersecurity researchers affirmed that the threat actors are using Basecamp in various ways. The Basecamp is being used by the threat actors to distribute the BazarLoader malware, and it is also being operated as part of several phishcampaigns.
Basecamp Abused in Phishing Campaigns
The security researcher, Will Thomas, detected that the threat actors are also damaging the Basecamp as part of phishing campaigns. Another report that has been reported by the cybersecurity firm Cyjax demonstrates that phishing campaigns are now abusing Basecamp to host intermediary pages that redirect users to phishing landing pages.
This technique is useful for the threat actors, as Basecamp and Google Cloud hosting are usually utilized for various business services. And these are regarded as secure by default by most exposure systems.
The Cloud platforms also protect their user’s anonymity and can be installed in no time. But it is quite challenging for human SOC analysts to identify as a warning because the traffic that appears from the services is legitimate.
Referenced Organizations
After a proper investigation of the campaign’s attack, the experts have detected some organizations that are referenced, and here they are mentioned below:-
- Vertex Interventional Physicians
- Neta Scientific Inc
- Ateeca Inc
- Brunkenhoefer Law Firm
- InGenesis, Inc
- XTREME Production Resources
- PR Industrial
- Momentum Spine & Joint
- Direct Ortho Care
- Quest Records
BazarBackdoor connection
BazarBackdoor has also started leveraging Basecamp in its infection chains, which has been detected by the experts. However, BazarBackdoor is managed and administered by the WizardSpider group, which manifested both Trickbot and the Ryuk ransomware.
Trickbot is one of the most offensive banking Trojans and is now being used as a distribution network for other malware. On the other side, Ryuk ransomware is a dangerous threat to companies worldwide that has presented its executives millions in ransom payments.
In this attack, the user will obtain the BazarLoader that ultimately injects the BazarBackdoor into a running process. However, the code samples that have been distributed through Basecamp are inscribed with SSL certificates to disguise as legitimate software.
This software are designed to avoid detection systems, and that’s why many samples of the Bazar malware go completely undetected (FUD) and have 0/70 hits on VirusTotal when they are first offered.
That’s why phishing campaigns are the easiest way for the threat actors to perform and attack the victims. And using Basecamp is one of the profitable procedures for the threat actors. As the Basecamp pages could be edited easily, that enables the attackers to shift their tactics when security solutions do ultimately catch up with them.
Indication of Compromise
IOCs:
hxxps://public.3.basecamp.com/p/wDdhDmo1sX5HUpk3E6R6oFhP
hxxps://admiin.page.link/efyd
hxxps://storage.googleapis.com/aenfeebles-703551073/index.html
bomohsmtp.com
LINK TO DOWNLOAD BAZALOADER EXE:
hxxps://public.3.basecamp[.]com/p/6WvTkPssC6sxWf7qM1jMhLiY/upload/download/Review_Report15-10.exe
BAZARLOADER EXE:
SHA256 hash: ed40a50e33fe55c38c9016d6a81fe28e3574998fc2661fdc68a85bd4e61bbe97
You can follow us on Linkedin, Twitter, Facebook for daily Cyber security and hacking news updates.
Also Read: MFA Bypass Bugs Would Allows Hackers to Access Office 365 Accounts
