Microsoft Reports Human-Operated Attacks
Microsoft reported an active BazaCall malware campaign in a Twitter post last Tuesday. Attackers are using fraudulent emails to trick targets into calling call centers that convince them to download malicious links, according to Microsoft. The phishing tactic has been effective in downloading payloads onto target devices.
BazaCall and BazaLoader
BazaCall is named after BazaLoader, which is the malware originally distributed through the campaign.
BazaLoader is linked to the NimzaLoader backdoor malware which is derived from the same Nim programming language. Both malwares were deployed by TA800 threat actor gang.
According to Microsoft, the attack begins with an email regarding a subscription renewal:
The email details that the victim signed up for a free trial that ends in 24 hours. The email claims that payment information has already been taken and that the victim will be auto-charged at the end of the trial period. Recipients of this email are told to call a customer service number for assistance.
Once the victim calls the customer service line, they are instructed by a human to visit a website and download an Excel file that will cancel their subscription. The file contains a macro malware that downloads the payload to the victim’s computer.
Attackers used Cobalt Strike, a pen-testing tool to steal credentials. While Cobalt Strike is meant for companies to test their systems for breach risks and security vulnerabilities, it often is found in the hands of cybercriminals who use the tool to infiltrate.
Another program used by attackers is Rclone, which is an open source computer program that is used to manage and migrate content on the cloud. In this campaign, Rclone was used to exfiltrate or steal data from victim computers.
This approach in delivering a payload has proven to be a challenge for Microsoft. Because the initial email does not have any malicious content, it is difficult for security teams to detect them. Instead, the attackers rely on victims personally reaching out to their call center where they are instructed to download the malware.
Identifying Phishing Emails
According to VMware’s most recent security insights, cyberattacks have reportedly grown to be more sophisticated and harder to prevent. While field experts are working hard to counteract the efforts of cybercriminals, there are still things that we can do to protect ourselves.
One of the most common approaches taken by attackers in targeting individuals is using phishing emails to either gain access to account credentials or to access sensitive data. Phishing campaigns might target corporate officers to gain credentials for privileged financial credentials, government entities to steal classified information, or individuals for quick profits.
We can avoid being scammed by phishing emails by taking a moment to absorb the details of suspicious emails:
- Keep an eye on the email address of the sender. Make sure that email addresses are actually from the company that the sender claims to be a part of.
- Scammers will often include an element of urgency to trigger fast action from victims. If you receive an email claiming that you will be charged for a subscription you haven’t signed up for, examine the email address before interacting with the email or calling anyone. If you really want to make sure, it is worth the time to call the actual company’s customer service line or look up any unknown companies claiming to have your payment information.
- Keep an eye out for website spoofing by paying attention to URL’s. People can visually emulate another website, but the URL itself is unique to each site.
- Do not open or download any attachments
- Carefully examine all electronic requests for a payment or wire transfer of funds
- Be suspicious of any email that requires immediate action
- Confirm requests for wire transfers or payment in person or over the phone
- Do not verify any requests using the contact information listed in the email
For more information on how to avoid phishing scams, see: Avoid Email Phishing Scams