Security researchers who have been tracking the BazarCall campaign for months report new malware strands with the attackers now using call centers to distribute payloads on victims’ computers.
Initially, threat actors used to install the BazarLoader malware, but consequently, they started to distribute other malware as well. The new malware includes TrickBot, IcedID, Gozi IFSB, and other malware.
Like many malware campaigns, the BazarCall one used to start with a phishing email but now researchers see a novel distribution method – phone call centers.
BazarCall emails targeting corporate users prompt them to call a support line number “to cancel a subscription.” The call center person asks the victims for a unique customer ID enclosed in the email and then redirects them to an attacker-controlled website to “download a cancellation form.” But instead, the website distributes malicious Excel documents that install malware.
According to BleepingComputer, the bulk of emails were from a non-existent company “Medical reminder service, Inc.” But the attackers used other fake names, such as ‘Blue Cart Service, Inc.’, ‘iMed Service, Inc.,’ and ‘iMers, Inc.’
Randy Pargman, Vice President of Threat Hunting & Counterintelligence at Binary Defense, explained that the attackers need to use the unique customer ID to determine if the caller is a real victim.
“If you give them a wrong number they will just tell you that they canceled your order and it’s all good without sending you to the website,” Pargman told BleepingComputer.
When the user enters their customer ID number on the website, it will automatically ask them to download an Excel document in xls or xlsb format. The doc will then ask the user to click “Enable Content” button that would allow malicious macros. In some cases, the threat actors ask to disable antivirus to prevent the malicious documents from being detected.
The script will then download and deploy malware on the victim’s computer. The attackers would then get remote access to compromised corporate networks and spread laterally to steal data or deploy ransomware.
Last month, threat actors used BazarLoader to distribute Ryuk ransomware which was spotted with new warm-like capabilities.