Called BazaCall, the campaign appears to be more dangerous than initially suspected. The reason for this increasing threat level is that, apart from having backdoor capabilities, BazarLoader grants remote attackers with “hands-on-keyboard control on an affected user’s device”. This access enables cybercriminals to perform a “fast network compromise.”
“In our observation, attacks emanating from the BazaCall threat could move quickly within a network, conduct extensive data exfiltration and credential theft, and distribute ransomware within 48 hours of the initial compromise,” Microsoft said in their report.
The BazaLoader/BazarLoader Malware
As we have already stated before, a major part of the BazarLoader Trojan operations is the launching of its data gathering procedure. The malware can be instructed to collect different types of information, all relating to data that can be stolen by hackers. It may be a report of the installed hardware components, individual computer operating system values, and personal user data.
The use of such information can lead to the generation of a unique identifier for each affected host. By having access to personal user’s data, hackers can use it for blackmail or identity theft purposes. Data can also be harvested from the user’s installed web browsers.
As a Trojan malware, the malware will start a remote control operation — the engine establishes a secure connection to a hacker-controlled server. This allows cybercriminals to fully take over control of the victim machines, hijack any available files, and spy on the victims in real-time.
The BazaCall Malicious Campaigns
“BazaCall campaigns forgo malicious links or attachments in email messages in favor of phone numbers that recipients are misled into calling,” Microsoft discovered. This technique is similar to vishing and cold-calling tech support scams where victims are approached over the phone. However, in the case of BazaCall, the potential, targeted victim is required to dial the number.
Once this is done, the victim is connected to a crook on the other end of the line, providing them with step-by-step instructions for installing malware. This is yet another example of a successful social engineering trick. What makes the BazaCall campaign especially tricky is the fact that, due to the lack of obvious malicious elements in the delivery methods, the typical ways of detecting spam and phishing emails are rendered ineffective.
How Is the BazaCall Attack Initiated?
According to Microsoft’s findings, the campaign is initiated by an email that employs various social engineering tricks to lure the victim into calling a specific phone number. The email may inform the victim about an expiring trial subscription or a credit card to be charged for the subscription’s premium version.
“Each wave of emails in the campaign uses a different “theme” of subscription that is supposed to be expiring, such as a photo editing service or a cooking and recipes website membership. In a more recent campaign, the email does away with the subscription trial angle and instead poses as a confirmation receipt for a purchased software license,” Microsoft said.
It is noteworthy that BazaCall emails don’t include a link or attachment in the message body. Rather than being lured into clicking a link, the victim is instructed to call a phone number in case of any questions or concerns.
“This lack of typical malicious elements—links or attachments—adds a level of difficulty in detecting and hunting for these emails. In addition, the messaging of the email’s content might also add an air of legitimacy if the user has been narrowly trained to avoid typical phishing and malware emails but not taught to be wary of social engineering techniques,” the software giant pointed out.