Three autonomous threat groups—Silent Ransom Group, Quantum, and Roy/Zeon—have resorted to BazarCall phishing tactics as an initial attack vector to access targeted networks. All three groups were previously associated with the Conti ransomware gang.

BazarCall attack chain

The phishing campaign is unique and comprises the following steps:
  • The attack starts when a malicious email informs the recipient about an automatically renewed subscription for which they are allegedly paying. Additionally, a cancellation can be made by calling a specific number.
  • As soon as the recipient calls the number in the email, a person trained in social engineering will attempt to convince the victim to grant the scammer remote desktop control to cancel the subscription.
  • Upon taking control of a user's desktop, the threat actor stealthily begins infiltrating their network and establishing persistence to carry out follow-on activities, including data exfiltration.
  • By initiating a malware session, the adversary gains access to the victim's network as the first point of entry. This initial access is then used and exploited to target an organization’s data.
 
Callback phishing has the advantage of allowing threat actors to launch highly-targeted attacks due to its social engineering component. As defenders began to enforce effective mitigations due to the predictable attacks from the attackers, their profits began to fall.

Silent Ransom Group hits major firms

  • In March, the callback phishing experts split from the Conti group and created the Silent Ransom Group (SRG).
  • As Conti shut down in April, SRG targeted 94 organizations with the sole focus to steal data and extort the victims.
  • Popular figures were some of SRG's main targets and victims, including a multimillion-dollar technology and software corporation, a significant plumbing and HVAC supplier, a large IT solutions provider, a multinational weapons manufacturer, and an aerospace company.
  • The group concentrated significantly on healthcare-related businesses with annual revenues between $500,000 and $100 billion, with over 40% of them having revenues of $1 billion or more.

Quantum and Roy/Zeon

  • Tracked as Conti Team Two, who was the main Conti subdivision, rebranded as Quantum and launched its own version of callback phishing campaigns. 
  • On June 13, researchers uncovered a massive version of BazarCall in operation called Jörmungandr.
  • The actors developed the operation by hiring individuals specialized in spamming, OSINT, design, and call center operators.
  • Quantum ransomware operators are a group of highly-skilled hackers responsible for breaching the Costa Rica government in May.
  • The third version of the BazarCall group - Roy/Zeon was observed in mid-June and the group comprises the old members of Conti's Team One, which developed the Ryuk operation.

Conclusion

With the introduction of callback phishing in March, the current threat landscape has been entirely revolutionized, requiring attack methods to be reevaluated and updated. There is little doubt that threat actors will continue to conduct phishing operations in the near future as they have realized the potential of weaponized social engineering tactics.
Cyware Publisher

Publisher

Cyware