Fake Call Centers Trick Users Into Installing Ransomware and Data Stealers
A sophisticated malicious campaign, known as "BazaCall," is targeting unsuspecting users by employing phony call centers to spread dangerous malware. Instead of relying on traditional tactics like malicious URLs or infected attachments, these attackers use a voice phishing (vishing) approach, tricking victims into downloading malware that can exfiltrate data and even deploy ransomware.
Table of Contents
How BazaCall Works
The BazaCall campaign begins with a deceptive email that warns recipients of an impending subscription charge. To resolve the issue, the email instructs the recipient to call a specific number. Those who fall for the trick end up speaking with a live agent at a fraudulent call center, where they're led through a series of steps that result in the download of BazaLoader malware.
BazaLoader, also known as BazarBackdoor, is a powerful tool for hackers. Written in C++, it acts as a downloader that installs other malicious software on infected computers. This malware is capable of exfiltrating sensitive information and can pave the way for additional threats, such as ransomware like Ryuk and Conti. First identified in April 2020, BazaLoader has been used by multiple cybercriminal groups due to its versatility and stealth.
According to the Microsoft 365 Defender Threat Intelligence Team, once BazaLoader infiltrates a system, attackers can gain access to critical data, steal credentials, and initiate ransomware attacks—all within 48 hours of the initial infection.
The Dangerous Appeal of Human-Led Attacks
One of the reasons BazaCall is so insidious is the use of human operators to trick victims into downloading malware. Since the phishing emails don’t contain the usual malicious links or attachments, it's much harder for security software to detect and block these attacks.
Attackers behind BazaCall have even developed sophisticated infection methods. Earlier in 2023, researchers from Palo Alto Networks and Proofpoint exposed an operation that tricked users into visiting websites for fake ebook services and movie streaming platforms. Once on these fraudulent sites, victims were encouraged to download Excel spreadsheets rigged with the BazaLoader malware.
The most recent attack, uncovered by Microsoft, involves a similar tactic. Call center agents direct victims to a fake recipe website (topcooks[.]us), where the malware is discreetly deployed as part of a "trial subscription cancellation" process. The involvement of live call center agents adds a layer of social engineering that makes BazaCall even more dangerous.
Defending Against BazaCall Campaigns
The BazaCall attack chain demonstrates the growing sophistication of malware campaigns, where human interaction becomes a key part of the strategy. Unlike automated malware attacks, this hands-on approach makes it more challenging for organizations to detect and respond quickly to threats.
To defend against such complex attacks, experts emphasize the need for cross-domain security and strong correlations between different events to develop a comprehensive defense. Monitoring for unusual outbound communication, employee awareness training, and staying vigilant to suspicious subscription charges are just some of the proactive steps to combat these threats.
Cybersecurity continues to evolve, but so do the tactics of attackers. Vigilance and multi-layered defenses are essential in protecting against the increasingly intricate malware campaigns like BazaCall.