Ransomware operators are spreading BazaCall malware by tricking people into phoning fraudulent call centres and speaking with real humans, who provide step-by-step instructions on how to download a payload.
Attacks from BazaCall operators can move rapidly within a network, with hackers able to conduct extensive data exfiltration and credential theft, Microsoft has warned. They can even distribute ransomware within 48 hours of the initial compromise.
Apart from having backdoor capabilities, the BazaLoader payload also gives a remote attacker hands-on keyboard control for an affected user’s device.
“Our continued investigation into BazaCall campaigns, those that use fraudulent call [centres] that trick unsuspecting users into downloading the BazaLoader malware, shows that this threat is more dangerous than what’s been discussed publicly in other security blogs and covered by the media,” said the Microsoft 365 Defender Threat Intelligence Team.
“BazaCall campaigns forgo malicious links or attachments in email messages in [favour] of phone numbers that recipients are misled into calling. It’s a technique reminiscent of vishing and tech support scams where potential victims are being cold-called by the attacker, except in BazaCall’s case, targeted users must dial the number.”
When users are tricked into calling the number, they’re connected with actual humans on the other end of the line, who provide detailed guidance for installing malware on their devices.
The campaign relies on direct phone communication, as well as sophisticated social engineering tactics to succeed, but the tactic is proving difficult to prevent given the lack of obvious malicious techniques.
It starts with an email that uses various social engineering lures to trick victims into calling a number. This might include informing users about a trial that’s about to expire and that their card is set to be charged, asking them to phone the number provided in case they have any concerns. There are no attachments, links, or any other type of malicious call to action that would be spotted by a security filter.
Each message is sent from a different sender, normally through a free email service and compromised email addresses, with lures including fake business names that are similar to real companies.
Victims who do call the number will speak to a real person from a fraudulent call centre, whose aim is to direct the caller to visit a malicious website, disguised as a legitimate one. They’re asked to navigate to a page and download a file to cancel their subscription.
These files are macro-enabled Excel documents, which might be flagged by Microsoft Defender SmartScreen, although Microsoft has observed users bypassing these warnings to download the files anyway, likely at the instruction of the hacker. Users are then prompted to enable editing, and enable macros, which triggers the BazaLoader malware to be delivered.
“The BazaCall campaign replaces links and attachments with phone numbers in the emails it sends out, posing challenges in detection, especially by traditional antispam and anti-phishing solutions that check for those malicious indicators,” the research team added.
“The lack of typical malicious elements in BazaCall’s emails and the speed with which their operators can conduct an attack exemplify the increasingly complex and evasive threats that [organisations] face today.”
