Microsoft 365 Defender Threat Intelligence Team uncovered an ongoing malware campaign tricking victims into downloading malware on the targeted systems. The campaign, dubbed as BazaCall, is reportedly leveraging bogus call centers and duping social engineering victims to download BazaLoader malware. Once deployed, the malware enables a remote attacker keyboard access to the infected system.
How does BazaCall Campaign work?
The BazaCall campaign begins with an email sent from a compromised email account impersonating tech support and mimicking legitimate business names. The attackers usually create a sense of urgency in the email body, making the potential victims call the fraudulent call centers. Whenever users call, the scammers instruct them to install BazaLoader malware into their devices.
“Each wave of emails in the campaign uses a different theme of subscription that is supposed to be expiring, such as a photo editing service or a cooking and recipes website membership. In a more recent campaign, the email does away with the subscription trial angle and instead poses as a confirmation receipt for a purchased software license,” Microsoft said.
The BazaLoader malware is capable of performing data exfiltration, credential theft attacks, and even deploy ransomware on the infected systems within 48 hours of compromise. Unlike traditional social engineering tactics, BazaLoader malware is not distributed via malicious URLs or files in the message body, allowing the malware to evade malware and phishing detections.
“BazaCall campaigns require direct phone communication with human and social engineering tactics to succeed. Moreover, the lack of obvious malicious elements in the delivery methods could render typical ways of detecting spam and phishing emails ineffective. Because the malware isn’t distributed via a link or document within the message body itself, the lures add a level of difficulty that enables attackers to evade phishing and malware detection software. This campaign is part of a broader trend in which BazaLoader-affiliated criminals in which they use call centers — the operators seemingly non-native English speakers — as part of an intricate attack chain,” Microsoft added.