The researchers noticed that criminals began to use the Basecamp project management platform in their campaigns, with which they spread malware and steal credentials.
When a user clicks on such a link, he is taken to a page with a preview of the file and a link to download it. Basically, Basecamp users get free hosting that they can use to distribute any type of file.
Of course, the criminals could not but pay attention to this. For example, cybersecurity researchers have found that BazarLoader executable files are distributed via Basecamp using public download links.
BazarLoader is a backdoor Trojan developed by the authors of TrickBot that is commonly used to hack important targets and their networks. Once installed, BazarLoader deploys Cobalt Strike beacons, which allow attackers to access the victim's network and eventually deploy Ryuk ransomware there.
– MalwareHunterTeam (@malwrhunterteam) October 16, 2020
Experts note that by using Basecamp, criminals are lulling users' vigilance, because when they see the Basecamp URL, many people believe that the file is linked to a project of their team.
In addition, it is reported that attackers abuse Basecamp in phishing campaigns. In the company's report Cyjaxphishers use Basecamp to host staging pages, which then redirect victims to landing pages to steal credentials. Since Basecamp is generally considered a trusted service, it allows attackers to bypass security solutions.
“This method is effective because Basecamp and Google Cloud are often used for business operations and are considered safe by default by most detection systems. In addition, cloud platforms keep their users anonymous and can be customized in no time. As a result, it is difficult for SOC analysts to recognize such a threat, because such traffic usually looks legitimate, ”Cyjax experts write.
Moreover, such intermediate pages on Basecamp can be edited as needed. For example, if a phishing landing page has been disabled, attackers can easily change the intermediate page on Basecamp to redirect their victims to another page for data theft.