Microsoft warns of dangerous ‘BazaCall’ call centre ransomware scam

Human operators are tricking victims into manually downloading malware onto their systems

Ransomware operators are spreading BazaCall malware by tricking people into phoning fraudulent call centres and speaking with real humans, who provide step-by-step instructions on how to download a payload.

Attacks from BazaCall operators can move rapidly within a network, with hackers able to conduct extensive data exfiltration and credential theft, Microsoft has warned. They can even distribute ransomware within 48 hours of the initial compromise.

Apart from having backdoor capabilities, the BazaLoader payload also gives a remote attacker hands-on keyboard control for an affected user’s device.

“Our continued investigation into BazaCall campaigns, those that use fraudulent call [centres] that trick unsuspecting users into downloading the BazaLoader malware, shows that this threat is more dangerous than what’s been discussed publicly in other security blogs and covered by the media,” said the Microsoft 365 Defender Threat Intelligence Team.

“BazaCall campaigns forgo malicious links or attachments in email messages in [favour] of phone numbers that recipients are misled into calling. It’s a technique reminiscent of vishing and tech support scams where potential victims are being cold-called by the attacker, except in BazaCall’s case, targeted users must dial the number.”

When users are tricked into calling the number, they’re connected with actual humans on the other end of the line, who provide detailed guidance for installing malware on their devices.

The campaign relies on direct phone communication, as well as sophisticated social engineering tactics to succeed, but the tactic is proving difficult to prevent given the lack of obvious malicious techniques.

It starts with an email that uses various social engineering lures to trick victims into calling a number. This might include informing users about a trial that’s about to expire and that their card is set to be charged, asking them to phone the number provided in case they have any concerns. There are no attachments, links, or any other type of malicious call to action that would be spotted by a security filter.

Each message is sent from a different sender, normally through a free email service and compromised email addresses, with lures including fake business names that are similar to real companies.

Victims who do call the number will speak to a real person from a fraudulent call centre, whose aim is to direct the caller to visit a malicious website, disguised as a legitimate one. They’re asked to navigate to a page and download a file to cancel their subscription.

Related Resource

Employees behaving badly?

Why awareness training matters

Why awareness training matters - whitepaper from MimecastDownload now

These files are macro-enabled Excel documents, which might be flagged by Microsoft Defender SmartScreen, although Microsoft has observed users bypassing these warnings to download the files anyway, likely at the instruction of the hacker. Users are then prompted to enable editing, and enable macros, which triggers the BazaLoader malware to be delivered.

“The BazaCall campaign replaces links and attachments with phone numbers in the emails it sends out, posing challenges in detection, especially by traditional antispam and anti-phishing solutions that check for those malicious indicators,” the research team added.

“The lack of typical malicious elements in BazaCall’s emails and the speed with which their operators can conduct an attack exemplify the increasingly complex and evasive threats that [organisations] face today.”

Featured Resources

The definitive guide to warehouse efficiency

Get your free guide to creating efficiencies in the warehouse

Free download

The total economic impact™ of Datto

Cost savings and business benefits of using Datto Integrated Solutions

Download now

Three-step guide to modern customer experience

Support the critical role CX plays in your business

Free download

Ransomware report

The global state of the channel

Download now

Recommended

Researchers disclose top flaws abused by ransomware gangs
ransomware

Researchers disclose top flaws abused by ransomware gangs

20 Sep 2021
One-in-seven Nasdaq-100 companies ranked as highly susceptible to a ransomware attack
cyber crime

One-in-seven Nasdaq-100 companies ranked as highly susceptible to a ransomware attack

16 Sep 2021
Large US businesses are hackers' ideal ransomware targets
ransomware

Large US businesses are hackers' ideal ransomware targets

7 Sep 2021
Criminals caught trying to recruit insiders to plant ransomware
ransomware

Criminals caught trying to recruit insiders to plant ransomware

20 Aug 2021

Most Popular

Zoom: From pandemic upstart to hybrid work giant
video conferencing

Zoom: From pandemic upstart to hybrid work giant

14 Sep 2021
What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

8 Sep 2021
Google takes down map showing homes of 111,000 Guntrader customers
data breaches

Google takes down map showing homes of 111,000 Guntrader customers

2 Sep 2021