Beware!! Phone Call Centers Trick Windows Users to Install Malware For Data Exfiltration & Credential Theft

Security researchers from Microsoft observed a new tricks users by attackers to download the BazaLoader malware on windows Users computers through fraudulent call centers, and exfiltrate the sensitive data, credential theft and install the ransomware after 48 hours from the time of initial compromise.

The campaign named “BazaCall” also comes with backdoor capabilities, and the Bazaloader gains keyboard access from the compromised computer and gives control to the remote attacker.

BazaCall campaigns using various social engineering tactics and direct phone communications are required to who then provide step-by-step instructions for installing malware into victims’ devices.

The technique is reminiscent of vishing and tech support scams where potential victims are being cold-called by the attacker, in this case victims are forged to make a call to the number that was given by the attackers over spam emails messages.

Once the call gets connected, victims are handled by the real human who is trained by the attacker, and let them provide a step by step instructions to install malware.

Malicious links and attachments

The initial stage of the BazaCall campaign attack begins with the malicious emails that contain a phone number, and trick the victims to make a call to the number by claiming that the victims subscription are going to end for the trial version, and soon the credit card will be charged automatically for the premium version.

To trick users, each email waves have a different theme such as a photo editing service or a cooking and recipes website membership.

Unlike traditional phishing and spam that contains a malicious link or attachment that needs to be clicked by the victims to install the payload, BazaCall tricks the victims to make a call to the number given in the mail content.

Researchers from Microsoft 365 Defender Threat Intelligence Team observed that “Each BazaCall email is sent from a different sender, typically using free email services and likely-compromised email addresses. The lures within the email use fake business names that are similar to the names of real businesses.”

Attackers using various subject lines are listed below.

• Soon you’ll be moved to the Premium membership, as the demo period is ending. Personal ID: KT[unique ID number]
• Automated premium membership renewal notice GW[unique ID number]
• Your demo stage is nearly ended. Your user account number VC[unique ID number]. All set to continue?
• Notification of an abandoned road accident site! Must to get hold of a manager! [body of email contains unique ID number]
• Thanks for deciding to become a member of BooyaFitness. Fitness program was never simpler before [body of email contains unique ID number]
• Your free period is almost ended. Your member’s account number VC[unique ID number]. Ready to move forward?
• Many thanks for choosing WinRAR. You need to check out the information about your licenses [body of email contains unique ID number]

Once the victims successfully initiated the call, Attackers connect a call with real human and provide step-by-step instructions for installing malware into their devices.

“The call center agent then instructs the user to navigate to the account page and download a file to cancel their subscription. The file is a macro-enabled Excel document, with names such as “cancel_sub_[unique ID number].xlsb.” Note that in some instances, we observed that even if security filters such as Microsoft Defender SmartScreen are enabled, users intentionally bypass it to download the file, which indicates that the call center agent is likely instructing the user to circumvent security protocols” Microsoft said.

The initial Download files was posed as an Excel file with some fake notification force users to click on the button that enables editing and content (macros) to view the content.

Further operation leads to connect to a BazaLoader command-and-control (C2) and establish persistence, and it utilizes the payload called rundll32.exe that was retrieved from the attacker infrastructure.

Finally,  rundll32.exe process retrieves a Cobalt Strike beacon that enables the attacker to have hands-on-keyboard control of the device. 

Since the attacker gained direct access, they will perform various operations in the infected computers such as reconnaissance on the network and searches for local administrators and high-privilege domain administrator account information.