Posted on June 23, 2021 at 5:35 PM
Microsoft has warned users about a new malware campaign that uses fake call centers and fake subscriptions to lure victims into downloading ransomware.
The warning is coming from Microsoft security researchers, who tagged the malware campaign “BazaCall.”
The researchers said they have uncovered “human-operated attacks and ransomware deployment.” that make use of emails to deceive their targets into making calls and downloading malware.
Microsoft says its Office users are at the worst receiving end of the attack because the hackers use a malicious spreadsheet. The researchers have warned the users to be aware of such ransomware tricks.
The attacks begin through phishing emails
According to the report, the attacks begin via an email to the unsuspecting victim. The email explains to the user that the free trial period of a specified software has ended and payment for the paid version will be taken soon. The user is also told that he has agreed to continue using the software and has already provided payment details.
While this is not true, the intention is to get the user to take action which has been specified in the email.
The threat actors usually provide a phone number for the user to contact them if they want to cancel the subscription or lodge a complaint.
While the user thinks he is calling a genuine call center, the operator on the other end will ask the user to download an Excel sheet via a link they provide.
But the user will be downloading a malicious file, infecting their system with malware in the process.
The malicious file swims into action when the user clicks on the “Enable Content” section in the spreadsheet. Once the action is taken, the BazaLoader malware is installed and another payload is downloaded.
Difficult to identify by a security software
Microsoft threat intelligence team also stated that when the hackers gain access to the user’s device, they steal active directory databases and user credentials. Additionally, they can plant ransomware in the system and ask the victims to pay a ransom before the encrypted data can be unlocked.
Since the email does not have any malicious attachments or links, security software finds it very difficult to detect the threat.
But Microsoft noted that the cross-domain visibility of Microsoft 365 Defender can offer a better measure of protection against such attacks. It enables an endpoint to signal to provide important information to Microsoft Defender to protect Office 365 against malicious emails. This provides a complete defense against such an attack.
The cybersecurity researchers say they are now on the hunt for the criminal group which has been active since January.
Despite the defense system, the best form of protection against such an attack is still the use of common sense and having a good security suite. Researchers have warned users to carry out further checks before responding to the email if they do not recognize the software mentioned.
Also, the email address of the sender is vague and suspicious, and others have received similar emails and discovered that it’s malicious. The researchers also warned users not to dial the number provided unless they are completely legitimate.
The group also use Cobalt Strike penetration
Brad Duncan of Palo Alto Network provided a detailed report about the threat actors’ methods in a blog post. He stated that the malware offers backdoor access to a compromised Windows device. When the device becomes infected, the hackers use the access to deliver follow-up malware and exploit other susceptible hosts on the network,
Microsoft security researchers also stated that the group may be making use of the Cobalt Strike penetration method to steal personal details from the victim’s device. The penetration is used after an initial infiltration is initiated for lateral movement on a network. The group steals credentials that also include Active Directory (AD) database. This is very vital for the victimized organization since it contains its credential information and identity.
Microsoft says it is still tracking the BazarCall ransomware campaign and has published details about its findings on a GitHub page for the public.
It has also provided details about the hackers’ use of Cobalt Strike lateral movement and the different phishing email versions they have seen being used by the threat actors.