A telephone call is now being used by cybercriminals as a novel method of infecting their target networks. A new malware delivery campaign known as BazarCall has been detected by security researchers since January. This malware is a Remote Access Trojan (RAT) that can take control of infected users’ computers and has a few new tricks up its sleeve.
According to reports, BazarCall malware’s operators are using this campaign to spread the BazarLoader Remote Access Trojan, which allows a hacker to take complete control of your PC and install more malware with just a phone call.While cybercrime groups have previously collaborated with underground call centres, this is the first time this strategy has been seen and used on a wide scale by a malware distributor, such as the BazarLoader gang.
BazarCall gives its operators remote access to corporate networks, allowing them to travel across the network. As a result, they have the ability to steal confidential information or install ransomware.
IcedID, BazarLoader, Gozi IFSB, TrickBot, and other malware were spread by the BazarCall campaign in the beginning. Despite the fact that hackers were pressured by several security agencies to change their phone numbers and hosting sites, malware delivery has not slowed down.
Modus Operandi
The cyberattack begins with a phishing email informing the user of a free medical service trial subscription. Furthermore, the email informs them that their service will expire after which they will be paid on a monthly basis.
The victim is then instructed to call a phone number included in the email to cancel the subscription before it renews. Several thank-you notes or messages about continuing a free trial may sent to the victims.
As victims dial the number, they are redirected to a call centre operator who enquire about the problem in detail. The victim is then asked by the phone agent for a unique customer ID that is specified in the email.
The victims are then taken to a cancellation page where they must type their customer ID. It does, however, prompt victims to download Excel or Word files and trigger macros, which spreads the BazarLoader malware.
Initially, the BazarCall campaign was used to spread malware such as TrickBot, IcedID, Gozi IFSB, and others. What makes these Windows viruses so dangerous is that they allow threat actors to gain remote access to infected corporate networks, allowing them to steal data or install ransomware.
Ransomware operators use BazarLoader and Trickbot to spread Ryuk and Conti ransomware, whereas IcedID was previously used to spread Maze and Egregor ransomware infections.
The distribution service had no choice but to change their phone numbers and hosting sites as the researchers removed them due to the efforts of many researchers, but this does not change the success of this distribution process.
Mitigation
You can protect yourself from the BazarCall malware by using reputable antivirus software and being cautious when signing up for free trials of services.
Users must be aware that opening any attached document and allowing macros is one of the most common ways for malware to infect them. As a result, even when users sign up for free online service trials, it’s a good idea to be cautious when taking orders from call centre operators who can ask them to download potentially malicious documents or applications.