Callback Phishing Attack Tactics Evolved – Successful Attack Drops Ransomware

Trellix released a recent report on the evolution of BazarCall social engineering tactics. Initially BazarCall campaigns appeared in late 2020 and researchers at Trellix noticed a continuous growth in attacks pertaining to this campaign.

Reports say at first, it delivered BazaarLoader (backdoor) which was used as an entry point to deliver ransomware. A BazaarLoader infection will lead to the installation of Conti Ransomware in a span of 32 hours.

It was also found to be delivering other malware such as Trickbot, Gozi IFSB, IcedID and more. In this case, “BazarCall has ceaselessly adapted and evolved its social engineering tactics”. These campaigns were found to be most active in United States and Canada. They were also targeting some Asian countries like India and China.

What is BazarCall?

BazarCall begins with a phishing email but from there deviates to a novel distribution method – using phone call centers to distribute malicious Excel documents that install malware.

In BazarCall’s case, targeted users must dial the number. And when they do, the users are connected with actual humans on the other end of the line, who then provide step-by-step instructions for installing malware into their devices.

Evolution of Bazarcall Social Engineering Tactics

Trellix categorize the attack flow of the BazarCall campaigns into three phases: First through Phase 1 – The bait, where the delivery vector is a ‘fake notification email’ which tells the recipient about a charge levied on their account for purchase/renewal of a product/subscription.

It includes information like Product Name, Date, Model, etc. with a unique invoice number used by the scammer to recognize the victim.

Also, the email says that the victim can call the phone number for any queries or cancellation requests. Researchers say the information was there in the email body or as a PDF attachment.

Researchers say this campaign was seen impersonating many brands like Geek Squad, Norton, McAfee, PayPal, Microsoft etc.

In Phase 2, when the recipient calls the scam call center, manipulating the victim into downloading and running malware on their system. Recipient is requested to give the invoicing details for “verification.” After that, the scammer declares that there are no matching entries in the system and that the email the victim received was spam.

Then the customer service agent informs the victim that the spam email may have resulted in a malware infection on their machine, offering to connect them with a technical specialist.

Then, a different scammer calls the victim to assist them with the infection and directs them to a website where they download malware masqueraded as anti-virus software.

In the security software subscription renewal campaigns, the scammers claim that the security product pre-installed with the victim’s laptop expired and was automatically renewed to extend protection. Then the scammer directs the victim to a cancelation and refund portal, which is also the malware-dropping site.

In the final phase, the malware is executed and it is used to carry out financial fraud or push additional malware to the system.

Trellix mentions that the majority of these recent campaigns are pushing a ClickOnce executable named ‘support.Client.exe,’ that, when launched, installs the ScreenConnect remote access tool.

“The attacker can also show a fake lock screen and make the system inaccessible to the victim, where the attacker is able to perform tasks without the victim being aware of them,” explains Trellix.

To receive the refund, the victim is urged to log in to their bank account, where they are tricked into sending money to the scammer instead.

“This is achieved by locking the victim’s screen and initiating a transfer-out request and then unlocking the screen when the transaction requires an OTP (One Time Password) or a secondary password,” explains the Trellix report.

“The victim is also presented with a fake refund successful page to convince him into believing that they have received the refund. The scammer may also send an SMS to the victim with a fake money received message as an additional tactic to prevent the victim from suspecting any fraud.”

Trellix Email security provides reliable detection from BazarCall campaigns by preventing such emails from ever reaching your system.

Get Your Copy of Free DDoS Protection Whitepaper to learn types of DDoS Attacks