Bazaloader phishing attack tricks people into installing malware on their Windows PC. The phishing emails guide people to dial a phone number to cancel a phony subscription. They are connected to the call center operated by the cybercriminals posing as ‘customer support’, who guide them to download malicious codes commonly used in ransomware attacks.
BazaLoader campaign uses human interaction and an intricate attack chain that makes it difficult to detect the BazaLoader malware. The bad actors deliver Ryuk ransomware via BazaLoader to create a backdoor on Windows machines to carry out ransomware attacks.
According to researchers at Proofpoint, the campaign distributes thousands of phishing emails, coming from ‘BravoMovies’ – a fake video-streaming service made up by cybercriminals.
The website lures the victims, with fake movie posters made using open source images available online. Though the website does contain several spelling mistakes, that can give a hint to alert users. Contents of the email lure users to sign up for a trial period for a $39.99 a month subscription that can be canceled if they call a support line.
The users are connected to the ‘customer service’ representative who claims to guide them through the process of unsubscribing. Instead, the users actually end up installing BazaLoader on their computers.
Users are guided to the ‘Subscription’ page where they are lured to click a link that downloads a Microsoft Excel spreadsheet. It contains macros that can secretly download BazaLoader onto the machine when enabled, in the process infecting the victim’s PC with malware.
Though it takes a huge effort on the part of the bad actors to direct users into downloading the malicious codes, it is difficult to detect the malware during the download and installation process. The low risk of the attack being discovered makes the extra effort prove to be worthy for the bad actors.
According to Sherrod DeGrippo, senior director of threat research and detection at Proofpoint, “Malicious attachments are often blocked by threat detection software. By directing people to phone the call center as part of the attack chain, the threat actors can bypass threat detection mechanisms that would otherwise flag its attachments as spam.”
He further added, “However, doing so significantly lowers the likelihood of a victim engaging with the content and takes more time and effort on the part of the threat actors.”
How to stay clear of Bazaloader Phishing Attack?
- Users should be trained by information security teams to sport and report malicious emails.
- Users should be aware when you receive an email that claims your credit card will be charged if you don’t respond is surprising. It is a commonly used tactic by bad actors to create a sense of urgency to trick users into falling for the trap and following the instructions.