Proofpoint researchers identified a BazaLoader campaign that required significant human interaction to run and install the BazaLoader backdoor. The threat actor took advantage of telephone customer service representatives to instruct victims to unknowingly download and install the malware. This campaign is representative of a broader trend driven by BazaLoader threat actors using call centers as part of an intricate chain of attacks.
On Wednesday, Proofpoint researchers said in a report that they observed BazaLoader for the first time in April 2020. Various threat actors are using the downloader, which is written in C ++, to load malware such as Ryuk and Conti ransomware. Additionally, Proofpoint researchers said they are confident that there is a “strong overlap” between the distribution and post-exploit activity of BazaLoader and the threat actors behind the Trickbot malware.
This entertainment-themed campaign was first seen in early May 2021 and masqueraded as an entertainment streaming service, with a fancy website featuring fake movies. The campaign demonstrates an inversely proportional relationship between successful infection rates and asking people to complete complicated steps – the more steps the user requires, the less likely they are to complete the attack chain. However, despite being contradictory, the techniques used by threat actors in this and similar campaigns help bypass fully automated threat detection systems.
In the recent BazaLoader campaign, messages pretend to be from multiple senders with topics such as:
▸Your trial period M0012064753012345 will expire soon. Fortunately, he made the decision to stay with us!
▸The demo stage has expired! Your account # M0272028060812345 will automatically be transferred to the premium plan!
The emails contain phone numbers and references to the company “BravoMovies”. The messages are intended to inform the target that their credit card will be charged unless they unsubscribe from the service. If the user calls the phone number provided in the email, a customer service representative will verbally guide them to the alleged company website. The website is a compelling representation of a movie and television streaming service.
When the user visits the mentioned site, navigates to the Frequently Asked Questions component of the website and follows the instructions to unsubscribe through the “Subscription” page, they will be directed to the download of an Excel Sheet. This is not the first time that Proofpoint has seen intricately composed BazaLoader email threat campaigns that have required a significant amount of human interaction, including customer service representatives over the phone, to trigger the malware download.
Other reads:
Hancitor is a Trojan that has evolved
Buer Malware Charger Emerges on the Web
[…] reads:BazaLoader threat posing as legitimate sitesHancitor is a Trojan that has […]