A prolific phishing campaign is attempting to trick people into believing they’ve subscribed to a movie-streaming service to coerce them into calling a phone number to cancel – where someone will guide them through a procedure that infects their computer with BazaLoader malware.
BazaLoader creates a backdoor onto Windows machines that can be used as an initial access vector for delivering additional malware attacks – including ransomware. The notorious Ryuk ransomware is commonly delivered via BazaLoader, meaning a successful compromise by cyber criminals could have extremely damaging consequences.
The latest BazaLoader campaign is based around human interaction and an intricate attack chain that decreases the chance of the malware being detected.
SEE: Network security policy (TechRepublic Premium)
Detailed by cybersecurity researchers at Proofpoint, the first stage of the campaign involves the distribution of tens of thousands of phishing emails claiming to come from ‘BravoMovies’ – a fake video-streaming service made-up by cyber criminals.
The website looks convincing and those behind it have even made fake movie posters by using open-source images available online – although the way the website contains various spelling errors could hint that something isn’t right if the visitor looks carefully.
The email claims the victim signed up for a trial period and they’ll be charged $39.99 a month – but that supposed subscription can be cancelled if they call a support line.
If the user calls the number they’re connected to ‘customer service’ representative who’ll claim to guide them through the process of unsubscribing – but what they’re actually doing is telling the unwitting victim how to install BazaLoader on their computer.
They do this by guiding the caller to a “Subscribtion” page, where part of the process encourages them to click a link that downloads a Microsoft Excel spreadsheet. This document contains macros, which if enabled, will secretly download BazaLoader onto the machine, infecting the victim’s PC with malware.
While this takes more hands-on effort by the attackers, directing users towards a payload away from the initial phishing email makes the malware more difficult to detect during the download and installation process.
“Malicious attachments are often blocked by threat detection software. By directing people to phone the call centre as part of the attack chain, the threat actors can bypass threat detection mechanisms that would otherwise flag its attachments as spam,” Sherrod DeGrippo, senior director of threat research and detection at Proofpoint, told ZDNet.
“However, doing so significantly lowers the likelihood of a victim engaging with the content and takes more time and effort on the part of the threat actors.”
SEE: This malware has been rewritten in the Rust programming language to make it harder to spot
But for the attackers, it could be that the lower risk of the attack being discovered makes the extra effort worth it in the end.
“Social engineering is the key to this attack chain and threat actors depend upon their social engineering lures to cause recipients to take an action to complete the attack chain and get the malware on the target’s machine,” said DeGrippo.
To help protect users – and the wider organisation – from phishing attacks and social engineering, information security teams should train users to spot and report malicious emails.
It’s also worth noting that while receiving an email that claims your credit card will be charged if you don’t respond is startling, creating a sense of urgency like this is a common technique used in phishing campaigns in order to trick the user into letting their guard down and following instructions.