In the past two months, security researchers have been fighting various offensive and defensive battles with the new “BazarCall” malware, which uses the call center to spread some of the most destructive Windows malware.
This new malware was discovered to be spread by the customer service center in late January, and its name is BazarCall or BazaCall, because the attackers originally used it to install the BazarLoader malware.
While spreading other malware, the researchers continued to name the spreading activity as BazarCall.
Like many malware campaigns, BazarCall started with phishing emails, but gradually developed a novel method of dissemination that uses a call center to disseminate malicious Excel files with malware installed.
BazarCall email does not bundle attachments with emails, but instead prompts the user to make a call to unsubscribe, and then automatically charges for it. These call centers will then redirect users to a customized website to download the “cancel form” for installing the BazarCall malware.
The call center uses phishing emails to launch an attack
BazarCall attacks all started with phishing emails targeted at company users, which notify the recipients that the free trial period will run out. However, these emails did not provide any detailed information about the so-called subscription.
These emails will then prompt the user to contact the listed phone number, and if you want to continue the subscription, you will need to pay a renewal fee of $69.99 to $89.99, as shown in the example BazarCall phishing email below.
Although most of the emails seen by BleepingComputer came from a fictitious company named “Medical Reminder Service Company”, these emails also used other false company names, such as “iMed Service, Inc.”, “Blue Cart Service, Inc. .” and “iMers, Inc.”.
These emails all use similar themes, such as “Thank you for using the free trial version” or “Your free trial period is about to end!” Security researcher ExecuteMalware has summarized the email themes used in this attack.
When the recipient dials the listed phone number, the line will be busy, and then when you hang up, a customer service staff will call you back. When requesting more information or how to unsubscribe, the call center agent will ask the victim to provide the unique customer ID contained in the email.
Randy Pargman, vice president of threat search and counterintelligence at Binary Defense, told BleepingComputer that this unique customer ID is a core component of the attack, and the call center uses it to determine whether the caller is the target victim.
Pargman told BleepingComputer in the conversation about BazarCall:
“When you give them a valid customer number on the phone, they will be able to identify the company that received the email. However, if you give them a wrong phone number, they will only tell you that they cancelled your order , It’s all good without sending it to the website you are logged in to.”
If the correct customer ID is provided, the call center agent will redirect the user to a fake website that will pretend to be a medical service company. The phone agent will keep in touch with the victim and direct them to a cancellation page where they will be prompted to enter the customer ID as shown below.
When the user enters their customer ID number, the website will automatically prompt the browser to download an Excel document (xls or xlsb). Then, the call center agent will help the victim to open the file, and then click the “Enable Content” button to enable the malicious macro.
In some of Pargman’s calls, the attacker will instruct him to disable anti-virus software to prevent malicious files from being detected.
When the Excel macro is enabled, the BazarCall malware will be downloaded and executed on the victim’s computer.
When the BazarCall campaign first started, it was used to spread BazarLoader malware, but it has also begun to spread TrickBot, IcedID, Gozi IFSB and other malware.
These Windows infections are particularly dangerous because they provide remote access to infected corporate networks where attackers spread laterally across the network to steal data or deploy ransomware.
Attackers use BazarLoader and Trickbot to deploy Ryuk or Conti ransomware, while IcedID has been used in the past to deploy the now-defunct Maze and Egregor ransomware infections.