BazaLoader malware operators have been luring website owners to download the malware through fake notifications regarding sites' involvement in distributed denial-of-service attacks and a phony Digital Millennium Copyright Act infringement complaint, reports BleepingComputer.
BleepingComputer has found that the threat actor behind the attack uses Firebase URLs to send contact forms containing BazaLoader and CobaltStrike, which is similar to the delivery approach for IcedID malware observed by Microsoft in April.
Website developer and designer Brian Johnson has noted that two of his clients have been given fake DDoS attack notifications threatening legal action unless the purported malicious files are promptly cleaned from their systems. Meanwhile, the file attached to the emails has been discovered by malware analyst Brad Duncan as a ZIP archive containing a BazaLoader DLL-fetching JavaScript. BazaLoader communicates with its command-and-control server and prompts Cobalt Strike to ensure other payload delivery and ensure persistence.
Organizations can defend themselves from the social engineering scheme by exercising continued vigilance toward malicious intent in emails.