Posted on May 30, 2021 at 11:55 AM
Proofpoint’s recent research has explained how hackers are distributing the BazaLoader malware dropper using fake sites. The unsuspecting victims are lured to fake streaming websites where their details are obtained through phishing attacks.
Proofpoint first uncovered this type of attack in May when hackers created a falsified site that would lure unsuspecting internet users who wanted to stream movies. The site’s name is dubbed ‘BravoMovies.’ To make the site look trustworthy and reliable, the hackers used movie posters and other movie content to lure users.
Email Phishing attempts
Users who signed in to the fake streaming website would receive emails confirming their subscription to the service. The email also stated that the users were currently using the site on a free trial basis, but their paid subscription of $39.99 would commence after a month.
The emails were carefully articulated to ensure that even some advanced internet users would not recognize it as a scam. The users had the option to unsubscribe to the service, which was only possible through a telephone conversation with a customer care representative. Interestingly, the email did not include any links that may cause alarm.
A user who wants to unsubscribe from the streaming service will call the customer service number provided in the email. On the other side of the conversation, the customer agent would direct users to go to the FAQ section of the site and follow the method of unsubscribing noted there.
The user would be requested to download an Excel sheet as one of the steps to follow. However, the Excel sheet harbours macros, which would later download the BazaLoader to the user’s device.
Proofpoint stated that users who use BravoMovies and receive emails telling them about their subscription should remain alert to avoid falling victim to a malware attack. The best way of avoiding this threat is to disregard any email purportedly sent from the site. Calling the customer care number and downloading the excel sheet would cause users great damage.
Ray Walsh, a Digital Privacy Expert at ProPrivacy, stated that the website is designed to make it hard for users to detect any form of maliciousness. The site also has a detailed list of popular movies that would interest users. Any internet user who has used BravoMovies to stream movies is hence at risk of an attack. Sometimes, the BazaLoader can be used by threat actors to install ransomware.
BazaLoader is a malicious downloader coded in C++. Proofpoint first detected the downloader in April 2020. However, its use has since increased, with many hackers using it to deploy ransomware such as Conti and Ryuk. Proofpoint also suspects that BazaLoader may be a similar style used by hackers behind the Trick malware, popularly known as Trickbot. In some instances, the Trick malware has been used as an alternative to BazaLoader.
The trick of using phone calls directed to fake customer care representatives to deploy malware started in February 2021. According to researchers, this method of operation is also known as ‘BazarCall.’ The use of BazaLoader has also been associated with much physical effort from real humans. Besides being used in movie streaming sites, the downloader has been used on online flower, lingerie, and pharmaceutical orders.
One of the distinguishing things about using real humans in malware attacks is that it minimizes the rate of suspicion. It will also ensure that an attack is executed without raising any red flags, which is observed when sending malware links using emails. Proofpoint also believes that this will not be the end of the attacks and that BazaLoader’s use will pick up in the future.