Beware of phishing emails claiming your free trial subscription is over and that urge you to call a number to cancel it before you get slugged with monthly fees. Microsoft’s cybersecurity researchers are now on the hunt for BazarCall, a criminal group that’s using call centers to infect PCs with malware called BazarLoader and BazarBackdoor – a malware loader that’s been used to distribute payloads that ultimately lead to company-wide ransomware. BazarCall (or Bazacall) actors have been active since January according to Microsoft, and were notable because they used call center operators to guide victims into installing BazarLoader onto a Windows PC. Palo Alto Networks’ Brad Duncan recently detailed the group’s techniques in a blog post. As he describes, the malware provides backdoor access to an infected Windows device: “After a client is infected, criminals use this backdoor access to send follow-up malware, scan the environment and exploit other vulnerable hosts on the network,” Duncan noted. Usually, the attack starts with phishing emails advising the victim that a trial subscription has expired and that they will be automatically charged a monthly fee unless they call a number to cancel the trial. “When recipients call the number, a fraudulent call center operated by the attackers instructs them to visit a website and download an Excel file to cancel the service. The Excel file contains a malicious macro that downloads the payload,” Microsoft Security Intelligence explains.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased