Posted on April 1, 2021 at 7:54 PM
Security researchers have discovered a new malware campaign known as “BazarCall”, which can give a hacker total control over a PC or device.
Security researchers have been monitoring the BazaCall for the past two months, which is known to distribute some of the most dangerous Windows malware.
In January, it was discovered that the new malware was being distributed by call centers, as the hackers initially used it to install the BazarLoader malware.
Hackers use an old-fashioned attack method
Although other malware was distributed, security researchers kept monitoring the distribution of the BazarCall, as it seems very critical and easy to convince cheating players to download it.
The BazarCall malware begins with a phishing email. However, it deviated to a new distribution method by distributing malicious excel documents using phone calls.
The malware email does not bundle attachments as other types of malware do. Rather, it emails to call a particular phone number a subscription or risk being charged automatically.
The call centers then redirect the users to a self-designed website for the download of the “cancellation form” which installs the BazarCall malware.
But the emails do not offer any information about the supposed subscription. Once the bogus email succeeds in getting the target to call fake tech support, the job of the hackers begins. This is remarkably an old-fashioned method of infecting computer systems with malware. But it has proven to be very effective. Many people are deceived into calling the phone number because they believe no harm can come from a phone number.
But when the phone operator can get the subscriber ID, they can know who their target is, making it easy to turn them into a victim.
The malware can plant other malware and ransomware
Once the caller provides a valid customer ID, the hackers can find out which company has the email. However, if a wrong number is given to them, the target will be told the subscription order has been canceled without sending them to the website.
Once the target provides the correct customer ID, they are told who signed up and provided a credit card for the subscription.
Afterward, the target is directed to fill out a form to cancel the subscription since it was mistakenly ordered. The target is sent to a professional-looking website, where the target can continue the cancellation.
The threat actors are using five different websites, according to the security researchers. All the websites look familiar, which shows they are owned and probably designed by the same hacker. The websites have privacy statements, contact information, and FAQs, which makes them look genuine and authentic.
Another interesting thing is the fact that all the domains of the websites were registered almost at the same time last week, and they have the same Russian email address and same alias as well.
Users asked to be wary of attack method
The target is directed to click on a yellow bar to give the supposed call center representative to enable macros on their system, which allegedly cancels the subscription. The file is a Microsoft Office file and these files are considered very dangerous.
Once the user agrees to enable macros, the Office file automatically installs a “dropper”, a type of malware that can download and install other malware automatically. This is where the system of the user is infiltrated, as the malware hides to steal more data and plants more malware.
Once the malware is running on the user’s system, the hackers can install botnet software, coin miners, and ransomware on the victim’s system or device.
On a more dangerous scale, the malware can spread quickly to other networks if the affected device is part of a company network.
Security researchers are advising users to be wary of such attacks. They are old-fashioned, but their attack method is proving to be very convincing to unsuspecting victims.
Users have also been advised to protect their systems with the best antivirus software. They should also watch out for any scheme that asks them to download any Office files as those files can be very dangerous.