Since January, security researchers have identified a new malware distribution campaign named BazarCall with new tricks under its sleeves. One of these tricks involves threat actors leveraging call centers to create a sense of panic among their targets.
What’s happening?
Microsoft Security Intelligence has tracked an active BazarCall malware campaign that leads to ransomware deployment.
The campaign starts with emails that instruct recipients to call a number to cancel their supposed subscription to a service.
When victims call the number, they are redirected to a fraudulent call center that is operated by attackers. The victims are told to visit a website and download an Excel file to cancel the service.
This file contains a malicious macro that downloads the payload.
In this attack, Microsoft saw attackers using Cobalt Strike and stealing credentials, including the Active Directory database, and exfiltrating it using rclone.
Additional insights
Proofpoint researchers identified an ongoing campaign that requires significant human interaction to install the BazarLoader backdoor and eventually deliver other malware.
The campaign uses an extensive infection chain, in which BazarLoader affiliates manipulate their victims into jumping through a number of hoops to trigger malware payloads.
It begins with an email informing recipients that their credit cards will be charged if they do not cancel their subscription to the service, a subscription that recipients never signed up for.
The email has a phone number for customer care at the call center with people standing by. These people direct the victims to a website to cancel the fake movie streaming service.
What does this indicate?
The recent attack method of the Bazaloader backdoor is similar to the one that was reported in March. With this novel attack technique on the roll, operators of the BazarCall backdoor aim to gain backdoor access to Windows systems. With this level of access, attackers can send other forms of malware, scan the target environment, and go after other vulnerable machines on the same network.
Microsoft keeps a track of it
As the cybercrime using the notorious BazarCall backdoor keeps getting more elaborated, Microsoft Security Intelligence has asked users not to trust phony call centers and suspicious Excel files. Moreover, it has published a GitHub page for publicly sharing details about the campaign.