Skip to content

CSVs and Excel can now deploy BazarBackdoor on your PC

  • by
  • 2 min read

CSV files in combination with an Excel feature called Dynamic Data Exchange (DDE) can now be used to infect your PC with the BazarBackdoor malware. Security researcher Chris Campbell spotted the phishing campaign. 

It works by adding a WMIC call in the CSV file, which launches the Windows Powershell terminal. Once launched, it downloads a DLL file which then deploys the malware. The malware in question, BazarBackdoor, is a backdoor malware created by the TrickBot group to provide attackers remote access to an internal device that can act as an infiltration point to larger networks.

Excel does, however, detect the DDE to call to access external links and asks the user to enable automatic updates for links along with a security concern. Even after the user enables the feature, another prompt is shown confirming if WMIC should be allowed to start accessing the remote data, or in this case, the DLL file that deploys the malware.

In the News: India proposes 30% crypto tax: Does this legalise cryptocurrency in India?

Harmless CSV? Not anymore

CSV or Comma Separated Value files are essentially text files with data entries split by commas. These files are rather harmful by themselves. It’s only when they’re imported into Excel is when the DDE feature kicks in making the files a real threat. 

The file is delivered to the victim through an email pretending to be payment remittance advice. The email points to a link that downloads a CSV file with a name somewhat like ‘document-21699.csv’.

Once the file is downloaded and opened in Excel, the WMIC call kicks in launching WMIC.exe, a legitimate Windows process that lets Excel execute the embedded Powershell command to input data in the currently open Workbook in Excel.

However, the malicious CSV file uses this WMIC call to create another Powershell process that opens an external URL (hence the warning mentioned above in Excel) containing another Powershell command that downloads a picture.jpg file, saving it as C:\Users\Public\87764675478.dll.

The downloaded DLL is then executed using rundll32.exe to install and deploy the BazarLoader malware, eventually deploying BazarBackdoor and possibly other payloads on the computer. 

BazarLoader can then allow the attacker to gain access to corporate networks, which can be used to further spread the infection and possibly lead to ransomware deployment.

In the News: Discord rolls out integration for PSN on PS5 and PS4

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: