blog

New Malware Is Using CSV Files To Infect Users

Written by Securafy Team | Feb 21, 2022 4:00:00 PM

Researchers have spotted a new phishing campaign you should be aware of.

What sets this one apart is that the hackers are using a lowly but specially crafted CSV file to infect machines. They are installing the BazarBackdoor malware. If you're not familiar with the term CSV stands for "Comma Separated Values" and it's a text file format that can be loaded into Excel.

If you open the file in a text editor, you'll simply see alphanumeric values separated by commas with the first line generally being the headers for the spreadsheet. Open the same file in Excel and it will separate the data into neat rows and columns.

CSV files are popular because they make it relatively easy to export data from one application and import it into another. Since the files are text only most people consider them to be relatively harmless and are generally not all that cautious when opening them.

Microsoft Excel supports a feature called Dynamic Data Exchange (DDE) which can be used to execute commands whose output is inputted into the open spreadsheet including CSV files.

Hackers are always on the lookout for new angles to play and have naturally begun to abuse this feature. They execute commands that download malware on the devices of unsuspecting victims.

BazarBackdoor is a stealthy malware strain created by the TrickBot group. It's main purpose as the name suggests is to provide ongoing remote access to an internal device that can be used as a springboard for further lateral movement within a network.

The current campaign is centered around emails that pretend to be "Payment Remittance Advice" emails with links to remote sites that download a CSV file with innocuous names like "document-2196t6.csv."

If this file is opened in notepad or word pad and examined, at first glance it will appear to be nothing more than a run of the mill CSV file. Unfortunately, embedded inside of it is a WMIC call in one of the columns of data that launches a PowerShell command and that's enough. That's all the hackers need to install the malware.

As always vigilance is your best defense against this sort of thing. Remind your employees not to open any emails from unknown or untrusted sources and not to download or open any attachments from those emails.