# Malicious CSV text files used to install BazarBackdoor malware **[bleepingcomputer.com/news/security/malicious-csv-text-files-used-to-install-bazarbackdoor-malware/](https://www.bleepingcomputer.com/news/security/malicious-csv-text-files-used-to-install-bazarbackdoor-malware/)** Lawrence Abrams By [Lawrence Abrams](https://www.bleepingcomputer.com/author/lawrence-abrams/) February 1, 2022 04:59 PM 2 A new phishing campaign is using specially crafted CSV text files to infect users' devices with the BazarBackdoor malware. A comma-separated values (CSV) file is a text file containing lines of text with columns of data separated by commas. In many cases, the first line of text is the header, or description, for each column. For example, a very basic CSV text file containing the capitals of some US states is illustrated below. Notice how commas separate each column of data (states and capitals). ----- ``` State,Capital Alabama,Montgomery Alaska,Juneau Arizona,Phoenix Arkansas,Little Rock California,Sacramento Colorado,Denver Connecticut,Hartford Delaware,Dover Florida,Tallahassee ``` As you can see above, the file contains nothing but text, but when loaded into Excel, the data is presented with each line on its own row and the data separated by the commas into columns of data. **Example CSV file loaded in Microsoft Excel** _Source: BleepingComputer_ Using CSVs is a popular method to export data from applications that can then be imported into other programs as a data source, whether that be Excel, a database, password managers, or billing software. Since a CSV is simply text with no executable code, many people consider these types of files harmless and may be more carefree when opening them. ----- However, Microsoft Excel supports a feature called Dynamic Data Exchange (DDE), which can be used to execute commands whose output is inputted into the open spreadsheet, including CSV files. Unfortunately, threat actors can also abuse this feature to execute commands that download and install malware on unsuspecting victims. ## CSV file uses DDE to install BazarBackdoor A [new phishing campaign spotted by security researcher Chris Campbell is installing the](https://twitter.com/phage_nz/status/1488310674279530496) BazarLoader/BazarBackdoor trojan through malicious CSV files. [BazarBackdoor is a stealthy backdoor malware created by the TrickBot group to provide](https://www.bleepingcomputer.com/news/security/bazarbackdoor-trickbot-gang-s-new-stealthy-network-hacking-malware/) threat actors remote access to an internal device that can be used as a springboard for further lateral movement within a network. The phishing emails pretend to be "Payment Remittance Advice" with links to remote sites that download a CSV file with names similar to 'document-21966.csv.' **BazarBackdoor phishing email** _Source: @phage_nz_ ----- Like all CSV files, the document-21966.csv file is just a text file, with columns of data separated by commas, as seen below. **The document-21966.csv file opened in a text editor** _Source: BleepingComputer_ The astute reader, though, will notice that one of the data columns contains a strange WMIC call in one of the columns of data that launches a PowerShell command. This `=WmiC| command is a DDE function that causes Microsoft Excel, if given permission,` to launch [WMIC.exe and execute the provided PowerShell command to input data into the](https://support.microsoft.com/en-us/topic/a-description-of-the-windows-management-instrumentation-wmi-command-line-utility-wmic-exe-f5c16751-3a83-49ee-030d-5092ce1a04bb) open workbook. In this particular case, the DDE will use WMIC to create a new PowerShell process that opens a remote URL containing another PowerShell command that is then executed. The remote PowerShell script command, shown below, will download a picture.jpg file and save it as C:\Users\Public\87764675478.dll. This DLL program is then executed using the rundll32.exe command. **PowerShell executed to download BazarLoader** _Source: BleepingComputer_ ----- [The DLL file [Tria.ge sample] will install BazarLoader, ultimately deploying the](https://tria.ge/220201-anxmqsefa6) BazarBackdoor and other payloads on the device. Thankfully, when this CSV file is opened in Excel, the program will spot the DDE call and prompt the user to "enable automatic update of links," which is marked as a security concern. **Confirm whether DDE** **should be enabled** _Source: BleepingComputer_ Even if they enable the feature, Excel will show them another prompt confirming if WMIC should be allowed to start to access the remote data. **Microsoft Excel asking to confirm if WMIC should be executed** _Source: BleepingComputer_ If the user confirms both prompts, Microsoft Excel will launch the PowerShell scripts, the DLL will be downloaded and executed, and BazarBackdoor will be installed on the device. While this threat does require users to confirm that the DDE function should be allowed to execute, [AdvIntel CEO](https://www.advintel.io/) [Vitali Kremez told BleepingComputer that people are falling for the](https://twitter.com/VK_Intel) ongoing phishing attack. "Based on our visibility into the BazarBackdoor telemetry, we have observed 102 actual non-sandbox corporate and government victims over the past two days from this phishing campaign," Kremez explained in an online discussion. Once BazarBackdoor is installed, it will allow the threat actors access to the corporate network, which the attacks will use to spread laterally throughout the network. ----- Ultimately, this could lead to further malware infections, the stealing of data, and the deployment of ransomware. ### Related Articles: [Google exposes tactics of a Conti ransomware access broker](https://www.bleepingcomputer.com/news/security/google-exposes-tactics-of-a-conti-ransomware-access-broker/) [New ChromeLoader malware surge threatens browsers worldwide](https://www.bleepingcomputer.com/news/security/new-chromeloader-malware-surge-threatens-browsers-worldwide/) [New ERMAC 2.0 Android malware steals accounts, wallets from 467 apps](https://www.bleepingcomputer.com/news/security/new-ermac-20-android-malware-steals-accounts-wallets-from-467-apps/) [Popular Python and PHP libraries hijacked to steal AWS keys](https://www.bleepingcomputer.com/news/security/popular-python-and-php-libraries-hijacked-to-steal-aws-keys/) [PDF smuggles Microsoft Word doc to drop Snake Keylogger malware](https://www.bleepingcomputer.com/news/security/pdf-smuggles-microsoft-word-doc-to-drop-snake-keylogger-malware/) [Attachments](https://www.bleepingcomputer.com/tag/attachments/) [BazarBackdoor](https://www.bleepingcomputer.com/tag/bazarbackdoor/) [Comma-separated values](https://www.bleepingcomputer.com/tag/comma-separated-values/) [CSV](https://www.bleepingcomputer.com/tag/csv/) [Malware](https://www.bleepingcomputer.com/tag/malware/) [Lawrence Abrams](https://www.bleepingcomputer.com/author/lawrence-abrams/) Lawrence Abrams is the owner and Editor in Chief of BleepingComputer.com. Lawrence's area of expertise includes Windows, malware removal, and computer forensics. Lawrence Abrams is a co-author of the Winternals Defragmentation, Recovery, and Administration Field Guide and the technical editor for Rootkits for Dummies. [Previous Article](https://www.bleepingcomputer.com/offer/deals/build-an-instant-ai-reference-library-with-this-ebook-bundle-deal/) [Next Article](https://www.bleepingcomputer.com/news/security/fbi-warns-of-fake-job-postings-used-to-steal-money-personal-info/) ### Comments ----- [Echo64 - 3 months ago](https://www.bleepingcomputer.com/forums/u/817471/echo64/) Wondering if any of these are coming through as .csv files directly attached to the email or if they all require users to click a link to download, just got done blocking .html and .htm attachments, might need to add .csv to that list too. [MaBriIT - 3 months ago](https://www.bleepingcomputer.com/forums/u/1237751/mabriit/) From https://support.microsoft.com/en-us/topic/microsoft-excel-security[enhancements-in-the-january-2022-update-kb5010321-6c925c6f-e5a0-4698-860d-](https://support.microsoft.com/en-us/topic/microsoft-excel-security-enhancements-in-the-january-2022-update-kb5010321-6c925c6f-e5a0-4698-860d-2d75e70e970a) 2d75e70e970a, I read "Microsoft has released two security enhancements as defense-in-depth measures for Excel in the January 2022 update. These security enhancements disable Dynamic Data Exchange (DDE) and automatic activation of OLE (Object Linking and Embedding) objects in all supported versions of Excel". Is this still a problem? Post a Comment [Community Rules](https://www.bleepingcomputer.com/posting-guidelines/) You need to login in order to post a comment [Not a member yet? Register Now](https://www.bleepingcomputer.com/forums/index.php?app=core&module=global§ion=register) ### You may also like: -----