BazarLoaderBazarLoader is an enterprise-targeting malware developed by the same group behind the TrickBot trojan. When installed, threat actors use BazarLoader/BazarBackdoor to remotely access your computer, which is then used to compromise the rest of your network.When a network has been infected with BazarLoader, it is common for the threat actors to ultimately deploy the Ryuk ransomware to encrypt all the devices on a network.Phishing emails that distribute BazarBackdoor via phishing emails usually contain links to alleged Word or Excel documents hosted on Google Docs and Google Sheets.These Google Docs documents, though, pretend to have a problem and prompt you to download the document. This download is actually an executable that installs BazarLoader, as shown below.
Dridex is an advanced and modular banking Trojan first spotted in 2014 and is continuously updated.When infected, Dridex will download different modules that can be used to steal passwords, provide remote access to a computer, or perform other malicious activities.When Dridex compromises networks, it commonly leads to the deployment of BitPaymer or Dridex ransomware attacks.Another ransomware known as WastedLocker is also believed to be tied to Dridex, but one cybersecurity firm does not agree with these assessments.Unlike other malware distribution campaigns, the Dridex gang tends to use more stylized document templates that show small or obfuscated content and prompt you to click Enable Content to see it better.For example, the template below states that the document was created in an earlier version of Microsoft Office Word, and displays a hard-to-read document below it. Dridex also uses more stylized document templates pretending to be shipping information for DHL and UPS. Finally, Dridex will show small hard-to-read payment invoices that prompt you to click ‘Enable Editing’ to view it correctly. As you can see from the examples above, Dridex likes to use images of embedded documents with company logos and letterhead to trick users into enabling macros.
EmotetEmotet is the most widely distributed malware through spam emails containing malicious Word or Excel documents. Once infected, Emotet will steal a victim’s email and use the infected PC to spew out further spam to recipients worldwide.Users infected with Emotet will eventually be further infected with trojans such as TrickBot and QakBot. Both of these Trojans are used to steal passwords, cookies, files, and lead to an organization’s network-wide compromise.Ultimately, if infected with TrickBot, a network will likely become affected by a Ryuk or Conti ransomware attack. For those affected by QakBot, they may be hit by the ProLock ransomware.
Unlike Dridex, Emotet does not use images of actual documents in their document templates. Instead, they utilize a wide range of templates that show a warning box that the document can’t be viewed correctly and that users need to click on ‘Enable Content’ to read it.For example, the ‘Red Dawn’ template shown below states that “This document is protected,” and then prompt you to Enable Content to read it. This next template pretends that it could not be opened correctly as it was created on an ‘iOS device.’ Another states that the document was created on ‘Windows 10 Mobile,” which is a strange message as Windows 10 Mobile has been discontinued for some time. The next template pretends that the document is in ‘Protected View,’ and a user needs to click ‘Enable Editing’ to see it properly. The next template is a bit more interesting as it tells users to accept Microsoft’s license agreement before they can view the document. Another interesting template pretends to be a Microsoft Office Activation Wizard, which prompts users to ‘Enable Editing’ to finish activating Office. Finally, Emotet is known to use a document template that pretends to be a Microsoft Office Transformation Wizard. As you can see, instead of stylized document templates, Emotet uses general warnings to try and convince users to enable macros in an attachment.
QakBotQakBot, or QBot, is a banking trojan that spreads via phishing campaigns that deliver malicious Microsoft Word documents, usually to businesses.QakBot is a modular Trojan that includes the ability to steal banking information, install other malware, or provide remote access to an infected machine.Like other trojans in this article, QakBot has also partnered with a ransomware infection called ProLock that is usually the final payload of an attack.
Compared to Emotet, QakBot campaigns tend to utilize more stylized document templates. The most common template used by QakBot spam campaigns pretends to be from DocuSign, as shown below.Other templates include ones pretending to be from Microsoft Defender or a Word update and activation screen, like the one below.