Microsoft warning: This unusual malware attack has just added some new tricks

Microsoft ramps up warnings about an apparent low-tech attacker that's adopting more sophisticated techniques.
Written by Liam Tung, Contributing Writer

Microsoft's Security Intelligence team is once again raising an alarm about the call center phishing and malware group behind what it calls BazaCall. 

"We are tracking multiple active email campaigns that use BazarLoader to deliver a wide range of payloads. These campaigns appear disparate but share a common trait: their tactics attempt to challenge conventional email security solutions and best practices," Microsoft said in a tweet.

The 'Stolen Images' Bazarloader campaign uses fake copyright infingement contact form emails and malicious files pretending to contain "stolen images" to trick users into downloading the malware.

SEE: Malware developers turn to 'exotic' programming languages to thwart researchers

Another technique is to trick potential victims into opening emails from what they think are trusted sources.

"A recent campaign challenges the best practice of only opening emails from known contacts: it uses compromised accounts to hijack email threads and attach a Word document in a password-protected ZIP file. The doc has a macro that launches MSHTA to download BazarLoader," Microsoft said.

Microsoft first raised an alarm about BazaCall in June because of its unusual and relatively expensive techniques, which relied on phishing emails with claims about expired trial subscriptions and impending payments. 

The emails stand out because they don't include links to web pages: instead, the emails encourage potential targets to contact a call center at which point the operator provides instructions to install malware under the guise of helping to cancel the fake payment. 

The installed backdoor allows BazaCall actors to install ransomware, including but not limited to Ryuk and Conti. 

Its tactics are notable because they don't use phishing links or send malicious attachments, helping avoid traditional email filter and detection systems. 

The first point of contact is a call center operator who discusses the expiring subscription detailed in the email. The operator then recommends the victim visit a website where they can supposedly cancel the subscription to avoid future monthly fees.

"BazarLoader is a first-stage malware that allows remote attackers to gain control over an affected device, exfiltrate data, and install ransomware payloads – notably Conti. The multi-component and evasive nature of these attacks requires comprehensive protection," Microsoft notes. 

SEE: This new phishing attack is 'sneakier than usual', Microsoft warns

In a GitHub post, Microsoft outlines that the group uses copyright material as a lure. 

BazaCall is not a new threat. Security firm FireEye raised an alarm about BazarLoader in December and prior to that TrendMicro spotted a campaign spreading the BazarLoader backdoor and Ryuk ransomware.  

Editorial standards