Monday, December 4, 2023

Callback Phishing Attack Tactics Evolved – Successful Attack Drops Ransomware

Trellix released a recent report on the evolution of BazarCall social engineering tactics. Initially BazarCall campaigns appeared in late 2020 and researchers at Trellix noticed a continuous growth in attacks pertaining to this campaign.

Reports say at first, it delivered BazaarLoader (backdoor) which was used as an entry point to deliver ransomware. A BazaarLoader infection will lead to the installation of Conti Ransomware in a span of 32 hours.

It was also found to be delivering other malware such as Trickbot, Gozi IFSB, IcedID and more. In this case, “BazarCall has ceaselessly adapted and evolved its social engineering tactics”. These campaigns were found to be most active in United States and Canada. They were also targeting some Asian countries like India and China.

What is BazarCall?

BazarCall begins with a phishing email but from there deviates to a novel distribution method – using phone call centers to distribute malicious Excel documents that install malware.

In BazarCall’s case, targeted users must dial the number. And when they do, the users are connected with actual humans on the other end of the line, who then provide step-by-step instructions for installing malware into their devices.

Figure. 1: Attack Chain
Attack Chain

Evolution of Bazarcall Social Engineering Tactics

Trellix categorize the attack flow of the BazarCall campaigns into three phases: First through Phase 1 – The bait, where the delivery vector is a ‘fake notification email’ which tells the recipient about a charge levied on their account for purchase/renewal of a product/subscription.

It includes information like Product Name, Date, Model, etc. with a unique invoice number used by the scammer to recognize the victim.

Also, the email says that the victim can call the phone number for any queries or cancellation requests. Researchers say the information was there in the email body or as a PDF attachment.

Figure. 2: Sample emails
Sample Emails

Researchers say this campaign was seen impersonating many brands like Geek Squad, Norton, McAfee, PayPal, Microsoft etc.

In Phase 2, when the recipient calls the scam call center, manipulating the victim into downloading and running malware on their system. Recipient is requested to give the invoicing details for “verification.” After that, the scammer declares that there are no matching entries in the system and that the email the victim received was spam.

Then the customer service agent informs the victim that the spam email may have resulted in a malware infection on their machine, offering to connect them with a technical specialist.

Then, a different scammer calls the victim to assist them with the infection and directs them to a website where they download malware masqueraded as anti-virus software.

Various websites used in the recent BazarCall campaigns
Various websites used in the recent BazarCall campaigns

In the security software subscription renewal campaigns, the scammers claim that the security product pre-installed with the victim’s laptop expired and was automatically renewed to extend protection. Then the scammer directs the victim to a cancelation and refund portal, which is also the malware-dropping site.

In the final phase, the malware is executed and it is used to carry out financial fraud or push additional malware to the system.

Trellix mentions that the majority of these recent campaigns are pushing a ClickOnce executable named ‘support.Client.exe,’ that, when launched, installs the ScreenConnect remote access tool.

“The attacker can also show a fake lock screen and make the system inaccessible to the victim, where the attacker is able to perform tasks without the victim being aware of them,” explains Trellix.

To receive the refund, the victim is urged to log in to their bank account, where they are tricked into sending money to the scammer instead.

“This is achieved by locking the victim’s screen and initiating a transfer-out request and then unlocking the screen when the transaction requires an OTP (One Time Password) or a secondary password,” explains the Trellix report.

“The victim is also presented with a fake refund successful page to convince him into believing that they have received the refund. The scammer may also send an SMS to the victim with a fake money received message as an additional tactic to prevent the victim from suspecting any fraud.”

Trellix Email security provides reliable detection from BazarCall campaigns by preventing such emails from ever reaching your system.

Get Your Copy of Free DDoS Protection Whitepaper to learn types of DDoS Attacks


Latest articles

Active Attacks Targeting Google Chrome & ownCloud Flaws: CISA Warns

The CISA announced two known exploited vulnerabilities active attacks targeting Google Chrome & own...

Cactus Ransomware Exploiting Qlik Sense code execution Vulnerability

A new Cactus Ransomware was exploited in the code execution vulnerability to Qlik Sense...

Hackers Bypass Antivirus with ScrubCrypt Tool to Install RedLine Malware

The ScrubCrypt obfuscation tool has been discovered to be utilized in attacks to disseminate the RedLine Stealer...

Hotel’s Hacked Logins Let Attacker Steal Guest Credit Cards

According to a recent report by Secureworks, a well-planned and advanced phishing attack was...

Critical Zoom Vulnerability Let Attackers Take Over Meetings

Zoom, the most widely used video conferencing platform has been discovered with a critical...

Hackers Using Weaponized Invoice to Deliver LUMMA Malware

Hackers use weaponized invoices to exploit trust in financial transactions, embedding malware or malicious...

US-Seized Crypto Currency Mixer Used by North Korean Lazarus Hackers

The U.S. Treasury Department sanctioned the famous cryptocurrency mixer Sinbad after it was claimed...

API Attack Simulation Webinar

Live API Attack Simulation

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked.The session will cover:an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Related Articles