Wednesday, December 18, 2024
HomeCyber Security NewsCallback Phishing Attack Tactics Evolved - Successful Attack Drops Ransomware

Callback Phishing Attack Tactics Evolved – Successful Attack Drops Ransomware

Published on

SIEM as a Service

Trellix released a recent report on the evolution of BazarCall social engineering tactics. Initially BazarCall campaigns appeared in late 2020 and researchers at Trellix noticed a continuous growth in attacks pertaining to this campaign.

Reports say at first, it delivered BazaarLoader (backdoor) which was used as an entry point to deliver ransomware. A BazaarLoader infection will lead to the installation of Conti Ransomware in a span of 32 hours.

It was also found to be delivering other malware such as Trickbot, Gozi IFSB, IcedID and more. In this case, “BazarCall has ceaselessly adapted and evolved its social engineering tactics”. These campaigns were found to be most active in United States and Canada. They were also targeting some Asian countries like India and China.

- Advertisement - SIEM as a Service

What is BazarCall?

BazarCall begins with a phishing email but from there deviates to a novel distribution method – using phone call centers to distribute malicious Excel documents that install malware.

In BazarCall’s case, targeted users must dial the number. And when they do, the users are connected with actual humans on the other end of the line, who then provide step-by-step instructions for installing malware into their devices.

Figure. 1: Attack Chain
Attack Chain

Evolution of Bazarcall Social Engineering Tactics

Trellix categorize the attack flow of the BazarCall campaigns into three phases: First through Phase 1 – The bait, where the delivery vector is a ‘fake notification email’ which tells the recipient about a charge levied on their account for purchase/renewal of a product/subscription.

It includes information like Product Name, Date, Model, etc. with a unique invoice number used by the scammer to recognize the victim.

Also, the email says that the victim can call the phone number for any queries or cancellation requests. Researchers say the information was there in the email body or as a PDF attachment.

Figure. 2: Sample emails
Sample Emails

Researchers say this campaign was seen impersonating many brands like Geek Squad, Norton, McAfee, PayPal, Microsoft etc.

In Phase 2, when the recipient calls the scam call center, manipulating the victim into downloading and running malware on their system. Recipient is requested to give the invoicing details for “verification.” After that, the scammer declares that there are no matching entries in the system and that the email the victim received was spam.

Then the customer service agent informs the victim that the spam email may have resulted in a malware infection on their machine, offering to connect them with a technical specialist.

Then, a different scammer calls the victim to assist them with the infection and directs them to a website where they download malware masqueraded as anti-virus software.

Various websites used in the recent BazarCall campaigns
Various websites used in the recent BazarCall campaigns

In the security software subscription renewal campaigns, the scammers claim that the security product pre-installed with the victim’s laptop expired and was automatically renewed to extend protection. Then the scammer directs the victim to a cancelation and refund portal, which is also the malware-dropping site.

In the final phase, the malware is executed and it is used to carry out financial fraud or push additional malware to the system.

Trellix mentions that the majority of these recent campaigns are pushing a ClickOnce executable named ‘support.Client.exe,’ that, when launched, installs the ScreenConnect remote access tool.

“The attacker can also show a fake lock screen and make the system inaccessible to the victim, where the attacker is able to perform tasks without the victim being aware of them,” explains Trellix.

To receive the refund, the victim is urged to log in to their bank account, where they are tricked into sending money to the scammer instead.

“This is achieved by locking the victim’s screen and initiating a transfer-out request and then unlocking the screen when the transaction requires an OTP (One Time Password) or a secondary password,” explains the Trellix report.

“The victim is also presented with a fake refund successful page to convince him into believing that they have received the refund. The scammer may also send an SMS to the victim with a fake money received message as an additional tactic to prevent the victim from suspecting any fraud.”

Trellix Email security provides reliable detection from BazarCall campaigns by preventing such emails from ever reaching your system.

Get Your Copy of Free DDoS Protection Whitepaper to learn types of DDoS Attacks

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Multiple SHARP Routers Vulnerabilities Let Attackers Execute Arbitrary Code

Multiple vulnerabilities have been identified in SHARP routers, potentially allowing attackers to execute arbitrary...

Spring Framework Path Traversal Vulnerability (CVE-2024-38819) PoC Exploit Released

A Proof of Concept (PoC) exploit for the critical path traversal vulnerability identified as...

Hackers Exploit Linux SSH Servers Using Screen & hping3 Tools With “cShell” Bot

The AhnLab Security Intelligence Center (ASEC) has detected a new strain of malware targeting...

CISA Releases Secure Practices for Microsoft 365 Cloud Services

The Cybersecurity and Infrastructure Security Agency (CISA) has issued Binding Operational Directive (BOD) 25-01:...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Multiple SHARP Routers Vulnerabilities Let Attackers Execute Arbitrary Code

Multiple vulnerabilities have been identified in SHARP routers, potentially allowing attackers to execute arbitrary...

Spring Framework Path Traversal Vulnerability (CVE-2024-38819) PoC Exploit Released

A Proof of Concept (PoC) exploit for the critical path traversal vulnerability identified as...

Hackers Exploit Linux SSH Servers Using Screen & hping3 Tools With “cShell” Bot

The AhnLab Security Intelligence Center (ASEC) has detected a new strain of malware targeting...