Cybercriminals are now using a telephone call as a novel technique to infect their target systems. Since January, security researchers have identified a new malware distribution campaign named BazarCall. This malware is a RAT that can control infected users' PCs and has some new tricks under its sleeves.
The BazarCall campaign
The operators behind BazarCall malware are simply spreading this threat using a phone call. It is the first time when such a tactic has been used on a large scale by a malware distributor.
- The attack starts with a phishing email notifying the victim about a free trial subscription for a medical service. Further, the email states about service expiration, after which they will be charged monthly.
- The emails then ask the victim to call a listed phone number to cancel the subscription before its renewal. The victims may receive several messages thanking them or talking about extending a free trial.
- Once victims call the number, they are connected to a call center operator who would ask for the details about the issue. A phone agent then asks the victim for a unique customer ID included in the email.
- The victims are then redirected to the cancellation page that asks to enter customer ID. However, it prompts victims to download Excel or Word files and enable macro, which eventually distributes BazarLoader malware.
BazarCall allows its operators to remotely access corporate networks where they can move laterally through the network. Consequently, they can steal sensitive information or install ransomware.
- In the beginning, the BazarCall campaign was spreading IcedID, BazarLoader, Gozi IFSB, TrickBot, and other malware.
- Even though attackers were forced (by several security agencies) to change their phone numbers and hosting sites, it has not affected the malware distribution success.
Users need to understand that opening any attached document and enabling macros is one of the quickest ways of falling prey to malware. Therefore, even when users subscribe to free trials for online services, it is recommended to stay alert while taking instructions from call center operators who may ask to download potentially malicious documents or applications on their system.