New ‘BazarCall’ Malware Uses Call Centers to Trick its Victims into Infecting Themselves
Attackers use fake subscription notifications to get potential victims’ attention.
Today’s hackers have never been more old-fashioned – they are currently using a telephone call as a “brand new “technique to infect their victim’s devices.
Since January, security researchers have been noticing a malware distribution campaign called the “BazarCall”.
According to Bleeping Computer, attackers reportedly use this campaign to spread the BazarLoader remote-access Trojan, which can enable a hacker to take full control over your PC and can be used to install more malware, through just a phone call.
I’m dubbing the recent #BazaLoader #BazarLoader campaigns involving social engineering and call centers as #BazarCall
Next one up: “TopTips Office” xls dl domains:
/ttoffice.us
/toptoffice.us
/tt-office.us
/toptipsoffice.us
/ttoffices.us
cc @James_inthe_box @JAMESWT_MHT @jfslowik pic.twitter.com/M02Tzr8eQe— TheAnalyst (@ffforward) February 2, 2021
Even if this is not a premiere, cybercrime gangs have worked together with underground call centers before, it is though the first time this tactic is seen and used on a large scale by a malware distributor, such as BazarLoader gang
It all starts with a phishing email informing the victim that a free trial subscription for a medical service that they’ve seemingly signed up for is about to expire, and they will be charged a monthly subscription fee afterward. The emails then urge the victim to call a listed phone number to cancel the subscription before the renewal.
According to The Record and Bleeping Computer, the victims may receive messages such as “Thank you for using your free trial,” “Do you want to extend your free period,” or something similar.
A list of possible BazarCall subject lines was posted by a security researcher calling themselves “Execute Malware“.
Once the victims call the number, they are connected to an English-speaking call center operator who will ask for the details about the problem.
When they ask about the subscription cancellation, the phone agent asks the victim for a unique customer ID enclosed in the email.
They will be able to identify the company that got that email when you give them a valid customer number on the phone. But if you give them the wrong number they will just tell you that they canceled your order and it’s all good without sending you to the website. Randy Pargman, Vice President of Threat Hunting & Counterintelligence at Binary Defense.
Once a correct customer ID is given, the victim is then directed to a certain page to cancel the subscription. The victim will be led to a cancelation page where they are encouraged to enter their customer ID.
The browser will prompt a Microsoft Office Excel or Word file download the minute they click the “unsubscribe” dialogue box. After that, an instruction saying that the user must sign the document or spreadsheet digitally for their request to be processed appears.
When the victim opens the downloaded Excel or Word file, a security alert warning appears, indicating that macros have been disabled.
Because Microsoft has sandboxed the file for potential threats, when the victim opens the downloaded Excel or Word file, a security alert warning appears, indicating that macros have been disabled.
However, the phone operator advises the caller to enable malicious macros for the subscription cancellation request to be processed.
When the victims enable the macros they allow the downloaded Microsoft Office file to install a type of malware that can cause even more damage to a device because of its internet access and capacity to install more of its kind.
In the beginning, the BazarCall campaign was also used to spread TrickBot, IcedID, Gozi IFSB, and other malware. What makes these Windows viruses so threatening is the fact that they allow remote access to damaged corporate networks where threat actors scatter laterally through the network to steal data or install ransomware.
Threat actors use BazarLoader and Trickbot to deploy the Ryuk or Conti ransomware, while IcedID has been used in the past to deploy the now-defunct Maze and Egregor ransomware infections.
Due to the efforts of many researchers, the distribution service had no choice but regularly change their phone numbers and hosting sites as the researchers remove them, but it doesn’t change the success this distribution method had.
According to BleepingComputer, people are falling for this scam as they believe they are legitimate subscriptions that need to be canceled.
You can stay protected from BazarCall malware by investing in trustworthy antivirus software, being aware when you subscribe to free trials of services, and cautious when handling instructions from call center operators asking you to download an Office file, especially when you have to enable macros.