Starting with April 2021, BazaCall has been brought to the public’s attention: the malicious campaign uses malware named BazaLoader or BazarLoader. In short, the method hackers use to trick victims is through a phishing mail that urges them to call a specific phone number because some subscription will soon expire and determines them to access a certain link when the Bazarloader will be downloaded.
Now, the Bazacall campaign is still in the game and uses the old techniques once again, but has new features too.
What’s Basically New Now?
Microsoft emphasizes the fact that this threat is more dangerous now, because besides its backdoor features, meaning that it installs additional malware like Ryuk ransomware, for example, now the network can be compromised much faster. How? Through the payload, hackers can gain users’ devices’ hands-on-attack control. The speed with which it moves within the network is real. The threat engages in stealing credentials and data egress activities. What’s more, is that ransomware could be shared within 48 hours since the malware started to act.
BazaCall: How Does It Generally Work?
The general method threat actors behind Bazacall have used over time is well known:
- Users received a phishing e-mail.
- It said that a certain subscription will soon expire and they will be automatically charged if they do not renew or cancel it.
- In order to do this, they should call a phone number.
- If they called that number, a fake English agent would pick up the phone and ask them to detail the issue.
- The victims should provide the customer ID they find in the e-mail and access a link the agent provided to supposedly unsubscribe from that service.
- Once they enter their ID to unsubscribe, a file is downloaded (a payload). When they opened it, the Microsoft Defender SmartScreen would warn that macros are disabled but they were advised by the agent to enable macros.
- If macros were enabled on the computer, malware would be deployed.
- This allowed the hacker’s remote access to the network to move laterally to exfiltrate data or install ransomware for instance Conti or Ryuk.
- Thus, threat actors use social engineering tactics to convince users to bypass the Microsoft alerts and intentionally enable the macros that will allow malware execution.
The users are connected with actual humans on the other end of the line, who then provide step-by-step instructions for installing malware into their devices. Thus, BazaCall campaigns require direct phone communication with a human and social engineering tactics to succeed. Moreover, the lack of obvious malicious elements in the delivery methods could render typical ways of detecting spam and phishing emails ineffective.
BazaCall: Its Activity Over the Last Months
According to Cyware, cross-domain optics should be of utmost importance now in the light of recent campaigns. This technique could fight against threats by correlating events. The thing that makes Bazacall so strong and convincing is the human factor: users have no reasons not to believe in it if they call a number where basically a real agent speaks with them even if he’s the hacker.
In June, hackers used the phishing scam mentioned above to deliver malware and came to Microsoft’s attention.
In July, attackers sent fake e-mails, allegedly coming from BravoMovies, a membership to watch movies online. Through this, compromised excel spreadsheets released Bazarloader.
How to Protect Yourself Against This Threat?
When you receive suspecting e-mails, take a moment to think about them. Instead of directly calling that number, investigate if you really have had any connection with the service they mention or ask first before downloading anything.