Targeted phishing using call center malware distribution by BazarLoader

BazarLoader malware
BazarLoader is malware that makes use of an organization's contacts in the distribution of dangerous Windows malware. The malware then allows hackers to access and exploit other security vulnerabilities within the network through a backdoor.
How BazarLoader attack happens
BazarLoader attacks typically begin as normal phishing emails. Bazarcall emails are not sent with attachments or malicious links. The email subjects and content are carefully worded to trick users into thinking they need to cancel potentially fake subscriptions before they are automatically charged and the emails provide a call center number for users to cancel their subscription. When a user calls the phone number given, they are asked to hold for a while then an agent greets them and asks for their unique identification number. This number is important because it helps the agent know whether the client is the user they were targeting. If the identification number is the correct one, the help center agent redirects the user to a certain website to download a cancellation form. This is usually an Excel sheet which then does the installation of a BazarLoader by running malicious scripts when you click the “Enable Content” button in Excel.
BazarLoader emails:
BazarLoader emails use the subject lines related to “end of free trial subscription” to trick users to make a call. Usual subject lines are
  1. Do you want to extend your free period ###########?
  2. Do you want to extend your free trial ###########?
  3. Free period for ############ will come to the end in 3 days
  4. Free trial period for ############ ends in three days
  5. Free trial period for ############ will end in 3 days
  6. Your free period ########### is about to end!
  7. Your free trial ########### is about to end!

The email also contains a call center number and a unique user identification number specific to the recipient and/or company they work for. The user identification number provided in the email is then verified by the call center executive before he redirects the user to download further malicious documents. These well-crafted emails blend in well with everyday email traffic and are difficult for email filters to catch.
A BazarLoader email:

BazarLoader Malicious excel sheet:

Victims of BazarLoader attacks
Experts have also observed that when the BazarLoader scripts are executed, they also download other malware such as TrickBot. Bazarcall schemes mostly target users with commercial email accounts with the goal to provide access to ransomware attackers.

SecurityAdvisor Employee Tips :


Always be vigilant when responding to an unknown email.


Do not download any documents or executable files instructed by an email or call center.


Do not blindly follow instructions in an email or document that asks you to enable (or disable) specific applications or operating system settings.


Be cautious of emails that have attention grabbing subjects like Subscription expiration, free gifts etc…
 

Learn how SecurityAdvisor can help your team

Schedule some time to talk with one of our experts and they will show you how we can help your organization.

Request Demo