A new attack campaign uses dedicated call centers and a fake streaming service to deceive unsuspecting users into downloading corrupted documents carrying the BazarLoader malware threat. This particular style of attack operations emerged at the start of 2021. In essence, it is a new phishing method that infosec researchers designated as BazarCall.
The cybercriminals disseminate spam email messages claiming that a non-existent trial or demo subscription is about to expire resulting in payment charges to the user's credit/debit card. A wide range of services has so far been abused with emails sent by companies in the medical, pharmaceutical, lingerie, flower, or anti-virus sectors seemingly. The latest campaign, however, delivers messages that are supposedly coming from a streaming service named BravoMovies. The operation was discovered by the infosec researchers at Proofpoint that tracked it as BazaFlix.
The bait emails stick to the same pattern - they claim that the user's trial/demo subscription to BravoMovies, described in the emails as one of the major streaming services on the planet, is about to expire and a charge of $39.99 will be forwarded to the provided payment card automatically for a premium tier upgrade. To cancel the process, the email directs users to call the provided customer service phone number.
Doing so will connect the affected user with a call center working for the hackers. The phone operator will then try to gain the trust of the caller and boost the legitimacy of the operation by leading the user to a specially crafted website for the alleged 'BravoMovies' streaming and TV service from a company called UrbanCinema. The website is given official appearance through several movie posters that come from different public sources, such as an advertising agency, the Behance social media network, and the book 'How to Steal a Dog.'
Among the instructions, the call center operator will tell the callers to download an Excel document onto their computers. This weaponized file contains corrupted macros that will ultimately drop the BazarLoader malware onto the system. Although this particular threat is used as a delivery vehicle for the next-stage payloads almost exclusively, infosec researchers have not been able to observe such a second-stage malware being delivered as part of the BazaFlix attack.
BazarLoader shares significant code similarities with an older malware threat named TrickBot Trojan. Cybersecurity researchers believe with a high level of confidence that the TrcikBot gang also is responsible for the creation of BazarLoader. The hacker group is responsible for multiple attacks against corporate targets that involved the delivery of ransomware such as the Ryuk Ransomware and the Conti Ransomware to the compromised systems. BazarLoader was used in the attacks as a tool to drop the ransomware payloads. It should be noted that the call centers may not be operated by the same hacker group that carries out the operation necessarily. It is entirely possible for the call centers to be offered as a service by an entirely different threat actor.