Security researchers from Microsoft observed a new tricks users by attackers to download the BazaLoader malware on windows Users computers through fraudulent call centers, and exfiltrate the sensitive data, credential theft and install the ransomware after 48 hours from the time of initial compromise.
The campaign named “BazaCall” also comes with backdoor capabilities, and the Bazaloader gains keyboard access from the compromised computer and gives control to the remote attacker.
BazaCall campaigns using various social engineering tactics and direct phone communications are required to who then provide step-by-step instructions for installing malware into victims’ devices.
The technique is reminiscent of vishing and tech support scams where potential victims are being cold-called by the attacker, in this case victims are forged to make a call to the number that was given by the attackers over spam emails messages.
Once the call gets connected, victims are handled by the real human who is trained by the attacker, and let them provide a step by step instructions to install malware.
The initial stage of the BazaCall campaign attack begins with the malicious emails that contain a phone number, and trick the victims to make a call to the number by claiming that the victims subscription are going to end for the trial version, and soon the credit card will be charged automatically for the premium version.
To trick users, each email waves have a different theme such as a photo editing service or a cooking and recipes website membership.
Unlike traditional phishing and spam that contains a malicious link or attachment that needs to be clicked by the victims to install the payload, BazaCall tricks the victims to make a call to the number given in the mail content.
Researchers from Microsoft 365 Defender Threat Intelligence Team observed that “Each BazaCall email is sent from a different sender, typically using free email services and likely-compromised email addresses. The lures within the email use fake business names that are similar to the names of real businesses.”
Attackers using various subject lines are listed below.
Once the victims successfully initiated the call, Attackers connect a call with real human and provide step-by-step instructions for installing malware into their devices.
“The call center agent then instructs the user to navigate to the account page and download a file to cancel their subscription. The file is a macro-enabled Excel document, with names such as “cancel_sub_[unique ID number].xlsb.” Note that in some instances, we observed that even if security filters such as Microsoft Defender SmartScreen are enabled, users intentionally bypass it to download the file, which indicates that the call center agent is likely instructing the user to circumvent security protocols” Microsoft said.
The initial Download files was posed as an Excel file with some fake notification force users to click on the button that enables editing and content (macros) to view the content.
Further operation leads to connect to a BazaLoader command-and-control (C2) and establish persistence, and it utilizes the payload called rundll32.exe that was retrieved from the attacker infrastructure.
Finally, rundll32.exe process retrieves a Cobalt Strike beacon that enables the attacker to have hands-on-keyboard control of the device.
Since the attacker gained direct access, they will perform various operations in the infected computers such as reconnaissance on the network and searches for local administrators and high-privilege domain administrator account information.
In a resounding triumph for justice, U.S. District Judge Kathryn Kimball Mizelle has sentenced Vitalii…
Hackers are plotting to benefit from the generosity of Halloween, Thanksgiving, and Christmas shoppers using…
The LLMs (Large Language Models) are evolving rapidly with continuous advancements in their research and…
In the dynamic realm of mobile application security, cybercriminals employ ever more sophisticated forms of…
A recent campaign has been observed to be delivering DJvu ransomware through a loader that…
In a pivotal update to the Okta security incident divulged in October 2023, Okta Security…