Basecamp, a popular project management tool, is being used by cyberattackers in a variety of ways, according to new security research. As well as being used to distribute the BazarLoader malware, it is also being employed as part of a number of phishing campaigns.
Threat actors are using public Basecamp links to host BazarLoader executables disguised as genuine Basecamp links. Once installed, BazarLoader allows other cyberattackers to infiltrate a network with the ultimate goal of unleashing the Ryuk ransomware.
The BazarLoader trojan, sometimes spelt BazaLoader, has hit the headlines this year as part of several notable malware campaigns. It has previously been linked to a phishing campaign that sought to trick victims with false claims about US President Donal Trump’s health.
The trustworthy reputation that Basecamp enjoys is also being used as part of a phishing campaign. Cybersecurity firm Cyjax has discovered that attackers are using Basecamp to host webpages that redirect unsuspecting online users to phishing landing pages. Many security solutions will view the webpages as being safe if Basecamp is used as an intermediary.
“This technique is effective because Basecamp and Google Cloud hosting are often used for business operations and are regarded as safe by default by most detection systems,” security researcher William Thomas explained. “Cloud platforms also preserve the anonymity of their users and can be set up in no time at all. They are difficult for human SOC analysts to recognize as a threat because the traffic to and from these services appears legitimate.”
More importantly, Basecamp pages can easily be edited, allowing threat actors to shift tactics when security solutions do eventually catch up with them. By altering a Basecamp intermediary page and redirecting victims to a different phishing landing site, cybercriminals can keep modifying a campaign to avoid detection.