BazarBackdoor malware infection using CSV text files – How to prevent it

In Feb 2022, malware researcher Chris Campbell spotted a new phishing campaign using specially crafted CSV (comma-separated values) text files to infect users' devices with the BazarBackdoor trojan. In this blog post, we analyze the attack scenario and show you how to prevent this sophisticated attack with OPSWAT Deep CDR (Content Disarm and Reconstruction).

The attack tactic

In this phishing campaign, the cybercriminals utilized a CSV file - a delimited text file that stores data in a tabular format and uses a comma to separate values. This file type is a popular way to exchange simple data between databases and applications. As a CSV file simply contains text with no executable code, a lot of users think that it is harmless and swiftly open the document without caution. They do not suspect that file could be a threat vector via which malware can get onto their devices if the CSV file is opened with applications that support Dynamic Data Exchange (DDE), such as Microsoft Excel and OpenOffice Calc. These applications can execute the formulas, and functions in the CSV file. Threat authors abuse this DDE feature to execute arbitrary commands, which download and install BazarBackdoor trojan, to compromise and gain full access to corporate networks from the unwary victim’s device. Compared to popular attack approaches with a malicious macro or VBA code hidden in an MS Office file, threats hidden inside DDE documents are harder to detect.

Carefully examining the file, we can see a =WmiC| command (Windows Management Interface Command) contained in one of the columns of data. If the victims inadvertently allow this DDE function to run, it will create a PowerShell command. The commands will then open a remote URL to download a BazarLoader and BazarBackdoor will be installed on the victim’s machine.

How OPSWAT Deep CDR helps you defend against DDE attacks

You can protect your network against these sophisticated phishing campaigns by sanitizing files attached in emails before they reach your users. With the mindset that every file presents a potential threat and focusing on prevention rather than just detection, Deep CDR strips out all active content in the files while maintaining the same file usability and functionality. Deep CDR is one of the six key technologies in MetaDefender - OPSWAT’s advanced threat prevention platform that truly embraces the Zero Trust philosophy.

Below are the sanitization details after we processed the infected CSV file with MetaDefender Core (You can also refer to the scan result on MetaDefender Cloud). Deep CDR neutralized the formula in the file so there was no PowerShell command created. The malware then could not be downloaded.

In similar attacks, threat authors use more complex formulas to evade detection. Normally, formulas in MS Excel start with an equal sign (=). However, since this application also accepts formulas starting with a different sign, such as “=+”or “@”, instead of just “=”, the destructive formula in CSV files can be:

=+HYPERLINK("<malware URL>")
=-HYPERLINK("<malware URL>")
=@HYPERLINK("<malware URL>")
+@HYPERLINK("<malware URL>")
-@HYPERLINK("<malware URL>")

A text in CSV becomes a clickable link in Excel

These types of formulas can elude some common CDR systems. However, OPSWAT Deep CDR can easily handle this tactic and output clean, safe-to-consume files thereby neutralizing the threat.

Learn more about OPSWAT Deep CDR or talk to an OPSWAT technical expert to discover the best security solutions to protect your corporate network and users from zero-day attacks and advanced evasive malware.

Sign up for Blog updates!
Get information and insight from the leader in advanced threat prevention.