Microsoft warns of dangerous ‘BazaCall’ call centre ransomware scam

Human operators are tricking victims into manually downloading malware onto their systems

Ransomware operators are spreading BazaCall malware by tricking people into phoning fraudulent call centres and speaking with real humans, who provide step-by-step instructions on how to download a payload.

Attacks from BazaCall operators can move rapidly within a network, with hackers able to conduct extensive data exfiltration and credential theft, Microsoft has warned. They can even distribute ransomware within 48 hours of the initial compromise.

Apart from having backdoor capabilities, the BazaLoader payload also gives a remote attacker hands-on keyboard control for an affected user’s device.

“Our continued investigation into BazaCall campaigns, those that use fraudulent call [centres] that trick unsuspecting users into downloading the BazaLoader malware, shows that this threat is more dangerous than what’s been discussed publicly in other security blogs and covered by the media,” said the Microsoft 365 Defender Threat Intelligence Team.

“BazaCall campaigns forgo malicious links or attachments in email messages in [favour] of phone numbers that recipients are misled into calling. It’s a technique reminiscent of vishing and tech support scams where potential victims are being cold-called by the attacker, except in BazaCall’s case, targeted users must dial the number.”

When users are tricked into calling the number, they’re connected with actual humans on the other end of the line, who provide detailed guidance for installing malware on their devices.

The campaign relies on direct phone communication, as well as sophisticated social engineering tactics to succeed, but the tactic is proving difficult to prevent given the lack of obvious malicious techniques.

It starts with an email that uses various social engineering lures to trick victims into calling a number. This might include informing users about a trial that’s about to expire and that their card is set to be charged, asking them to phone the number provided in case they have any concerns. There are no attachments, links, or any other type of malicious call to action that would be spotted by a security filter.

Each message is sent from a different sender, normally through a free email service and compromised email addresses, with lures including fake business names that are similar to real companies.

Victims who do call the number will speak to a real person from a fraudulent call centre, whose aim is to direct the caller to visit a malicious website, disguised as a legitimate one. They’re asked to navigate to a page and download a file to cancel their subscription.

Related Resource

Employees behaving badly?

Why awareness training matters

Why awareness training matters - whitepaper from MimecastDownload now

These files are macro-enabled Excel documents, which might be flagged by Microsoft Defender SmartScreen, although Microsoft has observed users bypassing these warnings to download the files anyway, likely at the instruction of the hacker. Users are then prompted to enable editing, and enable macros, which triggers the BazaLoader malware to be delivered.

“The BazaCall campaign replaces links and attachments with phone numbers in the emails it sends out, posing challenges in detection, especially by traditional antispam and anti-phishing solutions that check for those malicious indicators,” the research team added.

“The lack of typical malicious elements in BazaCall’s emails and the speed with which their operators can conduct an attack exemplify the increasingly complex and evasive threats that [organisations] face today.”

Featured Resources

How virtual desktop infrastructure enables digital transformation

Challenges and benefits of VDI

Free download

The Okta digital trust index

Exploring the human edge of trust

Free download

Optimising workload placement in your hybrid cloud

Deliver increased IT agility with the cloud

Free Download

Modernise endpoint protection and leave your legacy challenges behind

The risk of keeping your legacy endpoint security tools

Download now

Recommended

Sabbath hackers are targeting US schools and hospitals
ransomware

Sabbath hackers are targeting US schools and hospitals

29 Nov 2021
Out-of-hours ransomware attacks have a greater impact on revenue
ransomware

Out-of-hours ransomware attacks have a greater impact on revenue

18 Nov 2021
US and Israel join forces to fight ransomware
ransomware

US and Israel join forces to fight ransomware

15 Nov 2021
Hackers could use new Wslink malware in highly targeted cyber attacks
malware

Hackers could use new Wslink malware in highly targeted cyber attacks

1 Nov 2021

Most Popular

How to move Microsoft's Windows 11 from a hard drive to an SSD
Microsoft Windows

How to move Microsoft's Windows 11 from a hard drive to an SSD

4 Jan 2022
Microsoft Exchange servers break thanks to 'Y2K22' bug
email delivery

Microsoft Exchange servers break thanks to 'Y2K22' bug

4 Jan 2022
How to speed up Windows 11
Microsoft Windows

How to speed up Windows 11

7 Jan 2022