Microsoft reports a malicious campaign that uses fake call centers and attempts to infect users with malware and perform other illegal activities.
This social engineering attack known as “BazaCall” targets users by sending them email messages that contain a fake warning about a subscription charge. Victims are asked to call a support number to find out more or dispute the charge. Attackers use different themes revolving around canceling a subscription, such services as a photo editing website or a cooking and recipes website.
By tricking the recipients into calling a fraudulent call center, the fraudsters can directly provide the victims with instructions on how to download a file infected with the BazaLoader malware (aka BazarBackdoor).
BazaLoader is a C++-based program that can install various types of malicious software on infected computers. It can also steal sensitive data from the victims’ systems.
The BazaLoader campaigns were first observed in April 2020. They are used by various threat actors and are often used for distributing Ryuk and Conti ransomware.
“Attacks emanating from the BazaCall threat could move quickly within a network, conduct extensive data exfiltration and credential theft, and distribute ransomware within 48 hours of the initial compromise,” Microsoft 365 Defender Threat Intelligence Team said in a report on Thursday.
Since attackers do not send links or malware files directly to targets via email, but rather tells them how to access them online, increases the difficulty of detecting such phishing attacks. This campaign is part of a growing trend among criminals who use rogue call centers to distribute malware. These call centers are often operated by non-native English speakers, researchers noted.
Earlier this year, Palo Alto Networks and Proofpoint uncovered an elaborate infection scheme that mimicked websites of legitimate ebook and movie streaming services to infect victims with Excel spreadsheets containing Bazaloader.
The latest attack revealed by Microsoft is similar to the above ones in that it involved the call center agent’s tricking consumers into visiting a website “topcooks[.]us” to cancel trial subscriptions.
“The use of another human element in BazaCall’s attack chain through the above mentioned hands-on-keyboard control further makes this threat more dangerous and more evasive than traditional, automated malware attacks,” the researchers said. “BazaCall campaigns highlight the importance of cross-domain optics and the ability to correlate events in building a comprehensive defense against complex threats.”