One BazarLoader Call Center that Installs Malware: A Deeper Look into Its Operations
A Prolific Phishing Campaign Is Trying to Trick People into Believing that They Have Subscribed to a Movie Streaming Service.
A new type of scam is getting more and more popular. BazaLoader phishing emails are telling people to dial a phone number to cancel a phony subscription and therefore convincing them to download a malicious payload without their knowledge.
This is a phishing campaign tricking people into thinking they have subscribed to a movie streaming service and determine them to dial a phone number to cancel; someone will guide them through a procedure that will facilitate infection with the BazaLoader malware.
As my colleague, Antonia was saying BazaLoader works by creating a backdoor program on a Windows computer that can be used as an initial access medium to provide other malware attacks (including ransomware), like the well-known Ryuk ransomware.
It was noticed that in the first phase of the campaign the attackers involved the dissemination of tens of thousands of phishing emails pretending to be from “BravoMovies,” a fake video streaming service created by the cybercriminals.
The website design looks convincing, as the people behind the attacks went into even making fake movie posters using open source images available online.
On a closer look, a more careful user can see that even if the website looks legit, it contains various spelling errors.
The email claims the victim has signed up for a trial period and will be charged a monthly fee of $39.99 but, if they call the support hotline, the hypothetical subscription can be canceled.
If a user decided to call “customer service” they are met by a representative claiming to guide them through the process of unsubscribing, whilst actually guiding them in the installation process of BazaLoader on their computers.
This is done by directing the caller to the “subscribe” page and then encouraging them to click a link to download a Microsoft Excel spreadsheet that contains macros.
If the macros are enabled, the victim will unknowingly download BazaLoader to their device, therefore getting infected with the malware.
To help protect users and entire organizations from phishing attacks and social engineering, the users should be trained to detect and report malicious emails.
It’s also worth noting that receiving an email claiming that if you don’t respond, your credit card will be charged, thus creating a sense of urgency is, in fact, part of a phishing campaign, a commonly used technique to trick users into blindly following instructions.
Malicious attachments are often blocked by threat detection software. By directing people to phone the call center as part of the attack chain, the threat actors can bypass threat detection mechanisms that would otherwise flag its attachments as spam.
A few things you can do to not become victim to phishing attacks are:
- Hang up the minute you suspect this might be a scam.
- Never provide personal information or any details required to grant access to your computer.
- Do not download any software they ask you to.
- Raise a flag for all the parties involved.
- Change your passwords.
- Share your experience.
- Clean your PC and install an anti-malware solution.
In order to keep yourself safe from scams, you can check Miriam’s article in which she offered a more in-depth look into all the ways you can protect yourself from malicious attacks.
Heimdal® Threat Prevention - Network
- No need to deploy it on your endpoints;
- Protects any entry point into the organization, including BYODs;
- Stops even hidden threats using AI and your network traffic log;
- Complete DNS, HTTP and HTTPs protection, HIPS and HIDS;