Security researchers discovered a new BazarCall phishing campaign they dubbed BazaFlix that can fool the automated threat detection systems of email platforms to deliver the Bazarloader malware.
Another wave of BazarCall emails was spotted at the start of the month. Emails pretended to be a notification about a recurring payment card charge.
BazarCall is a new phishing method that uses call centers to trick users into downloading malware.
Attackers use social engineering and send victims a notification claiming that their trial period is over and that they will be charged a subscription fee.
In the BazaFlix campaign, tracked by researchers at ProofPoint, the messages were from BravosMovies, a fake video streaming service, saying that the trial/demo was about to end and that the user’s payment card was about to be charged for a premium plan.
The emails contain links to websites that offer a streaming or TV service, but the recipients could call a phone number provided in the emails if they want to cancel their subscription.
The attackers used movie posters and visuals from various public sources, including Behance, to make the website look legitimate.
After clicking the link to unsubscribe from BravosMovies, users are prompted to download a malicious Excel document that contains macros and installs BazarLoader.
Although the campaign used a variety of malware strains to infect users, it did not execute a second-stage payload, the researchers said.
BazarLoader was first spotted in April 2017. It is believed to have been developed by the developers of the TrickBot malware. This tool has been used by the TrickBot gang to distribute Ryuk and Conti ransomware. BazarLoader is used to avoid using the easily-detected Trojan.
The BazaCall malware delivery method was used from January to March. Attackers targeted users with various themes and tricks. While both the BazarLoader and the TrickBot were created by the same group, the call centers may be operated by a different gang, researchers say.
A security researcher Brad Duncan created a video showing how a victim can be tricked by criminals into clicking on a link in a phishing email and infecting their computer.