Researchers noticed that hackers have begun using the Basecamp project management platform in their campaigns, with which they distribute malware and steal credentials.
Bleeping Computer explains that when user creates documents in Basecamp, they can be formatted with HTML links, images, and styled text.Basecamp also allows users to upload files of any format to projects, including executables, JavaScript files, and so on.
And to share downloaded files, users can create public links that will allow people outside the organization to view and download them.
When a user clicks on such a link, he is directed to a page with a preview of the file and a link to download it. Basically, Basecamp users get free hosting that they can use to distribute any types of files.
Of course, the criminals could not help but pay attention to this. For example, cybersecurity researchers have found that BazarLoader executable files are distributed via Basecamp using public download links.
BazarLoader is a backdoor Trojan developed by the authors of TrickBot that is commonly used to hack important targets and their networks. Once installed, BazarLoader deploys Cobalt Strike beacons, which allow attackers to access the victim’s network and eventually deploy Ryuk ransomware there.
“By using Basecamp, criminals distract users because when they see the Basecamp URL, many people assume the linked file is from their team’s project”, – say the experts.
In addition, it is reported that attackers abuse Basecamp in phishing campaigns.
Cyjax reported that phishers use Basecamp to host staging pages, which then redirect victims to landing pages to steal credentials. Since Basecamp is generally considered a trusted service, it allows attackers to bypass security solutions.
“This method is effective because Basecamp and Google Cloud are often used for business operations and are considered safe by default by most detection systems. In addition, cloud platforms keep their users anonymous and can be customized in a short time. As a result, it is difficult for SOC analysts to recognize such a threat, because such traffic usually looks legitimate”, — write Cyjax experts.
Moreover, such intermediate pages on Basecamp can be edited as needed. For example, if a phishing landing page has been disabled, attackers can easily change the intermediate page on Basecamp to redirect their victims to another page for data theft.
Let me also remind you that Malware spreads and downloads payloads from paste-sites.
