New Threat Research: Uncovering Adversarial LDAP Tradecraft

Read Threat Research


New BazarCall Movie-Themed Campaign Pushes BazarLoader Malware

Researchers have found a new BazarCall email phishing campaign that manages to bypass automated threat detection systems to deliver malware used by the TrickBot gang. A new wave of BazarCall emails were spotted at the beginning of May, pretending to be a notification about a payment card charge for continued subscription to an online movie streaming service. BazarCall is a new phishing method in use since the beginning of this year that relies on call centers to direct users over a phone call to visit a website and download malware laced documents. The attack relies heavily on social engineering and user interaction, starting with a notification about the end of a trial period for a service and starting to charge for a subscription. In the recent campaign caught by researchers at Proofpoint and Binary Defense, the messages purported to be from a streaming entertainment service announcing that the trial/demo is about to expire and that their payment card is about to be charged for a premium plan. The emails come with a phone number that recipient can call to cancel the subscription. However, the directions received from the other end of the line point to the website of an fake streaming and TV service called “BravoMovies” from a company called UrbanCinema. For this reason, Proofpoint uses the name BazaFlix to track this campaign. The researchers say that the website looks realistic enough, using movie posters from various public sources, “including an advertising agency, the creative social network Behance, and the book “How to Steal a Dog.” Following the instructions to unsubscribe from BravosMovies streaming services, users get to download a malicious Excel document with macros that install BazarLoader malware. The BazarCall malware delivery method started being used in late January and continued through the present time. Although the technique remains the same, the threat actors used various themes to trap victims. Previous campaigns lured victims with fake subscriptions associated to companies in the pharmaceutical, flower, lingerie, medical, or antivirus businesses. While both BazarLoader and TrickBot are believed to be created by the same group, the call centers may be operated by a different gang, who are renting their services for malware distribution. To show what happens when an unsuspecting BazarCall victim calls the phone number in the phishing email, security researcher Brad Duncan shared a video with the dialog with the threat actor’s call center.

Analyst Notes

If someone receives an email with an unknown subscription service, the email should be treated as suspicious even though it does not contain any URLs or file attachments. Malware operators will use any tactic they can to trick users into downloading their viruses. It is also advised to keep all anti-virus systems up to date through automatic updates and checking for updates manually. It’s important to monitor Endpoint Detection and Response (EDR) tools for suspicious process behavior that anti-virus doesn’t catch. Binary Defense threat researchers noted that most of the malware delivered by BazarCall campaigns had nearly zero anti-virus detections on the day it was distributed, but the process call chain and the behaviors of the loaded malware were suspicious enough to set off alarms in EDR systems.

Source Article: