X
Tech

Microsoft warns: Now attackers are using a call centre to trick you into downloading ransomware

Beware of phishing emails claiming your free trial subscription is over and that urge you to call a number to cancel it before you get slugged with monthly fees.
Written by Liam Tung, Contributing Writer

Microsoft's cybersecurity researchers are now on the hunt for BazarCall, a criminal group that's using call centers to infect PCs with malware called BazarLoader – a malware loader that's been used to distribute ransomware.   

BazarCall (or Bazacall) actors have been active since January and were notable because they used call center operators to guide victims into installing BazarLoader on to a Windows PC. 

Palo Alto Networks' Brad Duncan recently detailed the group's techniques in a blogpost. As he describes, the malware provides backdoor access to an infected Windows device: "After a client is infected, criminals use this backdoor access to send follow-up malware, scan the environment and exploit other vulnerable hosts on the network," Duncan noted. 

SEE: Security Awareness and Training policy (TechRepublic Premium)

Usually, the attack starts with phishing emails advising the victim that a trial subscription has expired and that they will be automatically charged a monthly fee unless they call a number to cancel the trial. 

The group's activity has now caught the attention of Microsoft's Security Intelligence team. 

Microsoft's focus is on the group's phishing emails that target Office 365 users. The example it shows is an email purporting to be from a tech firm claiming that the victim has downloaded a demo version that will expire in 24 hours, at which point they will be charged for the software. 

"When recipients call the number, a fraudulent call center operated by the attackers instruct them to visit a website and download an Excel file in order to cancel the service. The Excel file contains a malicious macro that downloads the payload," Microsoft Security Intelligence explain. 

Microsoft's security team has also observed the group using the Cobalt Strike penetration testing kit to steal credentials, including the Active Directory (AD) database. Cobalt Strike is frequently used for lateral movement on a network after an initial compromise. The AD theft is a big deal for the enterprise since it contains an organization's identity and credential information. 

Microsoft has published a GitHub page for publicly sharing details about the the BazarCall campaign as it tracks it. It's updating details about the phishing emails, use of Cobalt Strike for lateral movement, malicious Excel macros, Excel delivery techniques, and use of Windows NT Directory Services, or NTDS, to steal AD files. 

Editorial standards