BaseCamp is the latest service that is being abused by computer criminals for spreading malware in a new phishing attack. Several incidents in this regard have occurred leading to the conclusion that this may be a new trend among criminals. BaseCamp is a popular online service used for project management and collaboration.
Phishing Campaigns Now Focus on BaseCamp: The Service is Used to Spread Malware
Users of the BaseCamp service need to beware as the online service is now targeted by computer hackers. The popular collaboration site is the newest victim of multiple phishing attacks by unknown computer groups. At this time there is no information about the identity of the criminals. We have found out that hackers have taken advantage of the service’s capabilities in their attempt to trick computer users into getting infected with malware.
The point of intrusion is the document creation process – when creating items online the BaseCamp service allows rich formatting using HTML links, text decorations and images. Users can upload practically any file type to projects, even those that are common virus carriers.
- Executable Files — They may include the malware files directly or be virus-infected carriers. Executables of this kind are application installers, patches, updates, add-ons and etc.
- Documents — They usually include virus-infected macros and may be of all popular file formats: text documents, spreadsheets, databases and presentations.
The phishing approach used by computer hackers is to use stolen or purposedly made accounts on the service and use the documents creation option to upload and distribute the above-mentioned virus files. The links can be sent out directly or via shortened link generators.
These download links can then be used to distribute dangerous malware, including Trojan horse infections and file-encrypting ransomware. BaseCamp is regarded as an ideal payload carrier as it is often “trusted by default” by both users and security software (including firewalls). To this date there have been no notable cases of serious virus infections carried through it, leading us into believing that this approach is best suited against all kinds of users.
What we know is that some of the current phishing tactics are sending out samples of the BazarLoader Trojan, a variant of the TrickBot malware. It is designed to infiltrate the computers of the computer users and spread across their internal network. Such viruses will allow the hackers to take over control of the systems, spy on the victims, and also install other threats. Scanning of the code execution shows that the Ryuk ransomware is installed. This is among the most dangerous viruses in this category.
We advise all users to proceed with caution even when opening service documents that have been sent by untrusted people. Information about these incidents was posted online by the security researcher Will Thomas who found out about the phishing intermediate pages. The Trojan infections were detected by the MalwareHunterTeam.