Basecamp, a communication platform used by corporates for project management is being abused by hackers for hosting their malware. Researchers found that hackers are distributing their Basecamp public documents to targets, which carry the BazarLoader trojan, that eventually deploy the Ryuk ransomware malware. Being suspicious about public documents is the way to thwart any such campaigns.
Basecamp Used For Malware Hosting
Basecamp is a sophisticated project management pack for letting groups chat, create, and share documents. They can include images, styled text, and URLs in their documents when composed, and share them with others for collaboration. What’s criticized here is the usage of its public documents and free hosting solutions.
Basecamp’s personal package is free, thus letting users host their documents for free. Also, their public documents can be shared with anyone on the internet through the link that’s created when formatting the document. While this has a legitimate purpose, researchers at MalwareHunterTeam and James have found a campaign, where some malicious actors are abusing the Basecamp.
Ah, so they are using @basecamp… pic.twitter.com/ejPT1qgqYE
— MalwareHunterTeam (@malwrhunterteam) October 16, 2020
It’s found that the platform’s public documents are compiled with a malware called BazarLoader, which is a backdoor trojan made by the TrickBot gang, that’s targeted at high-profile targets like corporates. The BazarLoader trojan further deploys Cobalt Strike beacons, which eventually draws Ryuk ransomware into the network.
Thus, a network compromise by stealing the data and encrypting the systems. If not, researchers have also found phishing campaigns where documents are distributed with links to phishing pages, that are asking for Office 365 login credentials. Antivirus softwares, in this case, are mostly useless since they term traffic and contents from Basecamp as genuine.
A way to avoid falling into a trap here is to stay vigilant. Employees of corporates have to be educated of such malicious campaigns, thus need to be aware of interacting with any suspicious emails or documents.