New BazaFlix Attack Pushes BazarLoader Malware Via Fake Movie Site
Security researchers have discovered a new BazarCall email phishing campaign that successfully bypasses automated threat detection systems to spread the BazarLoader malware used by the TrickBot gang.
A new wave of BazarCall emails were spotted earlier this month, claiming to be a notification about a charge card debit for an ongoing subscription to an online service.
Cancel video streaming subscription
BazarCall is a new phishing method used since the start of the year that relies on call centers to direct users to downloading documents containing malware.
It relies heavily on social engineering and user interaction, starting with notification of the end of a trial period for a service and starting to charge for a subscription.
In the recent campaign captured by researchers at Proofpoint, the messages claimed to be from a streaming entertainment service announcing that the trial / demo is about to expire and their payment card is about to expire. be charged for a premium plan.
Emails come with a phone number that recipients can call to unsubscribe. However, directions received from the other end of the line point to the website of an alleged streaming and TV service called “BravoMovies” from a company called UrbanCinema. For this reason, Proofpoint uses the name BazaFlix to follow this campaign.
Researchers say the website looks quite realistic, using movie posters from various public sources, “including an advertising agency, the creative social network Behance, and the book” How to Steal a Dog. “
By following the instructions for unsubscribing from BravosMovies streaming services, users may download malicious Excel document with macros that install BazarLoader malware.
Although the malware is used to download and execute other malicious files, the researchers said they did not observe a second stage payload for this campaign.
BazarLoader appeared in April of last year, and due to similarities in code and infrastructure used, it is believed to have the same developers as the TrickBot Trojan.
The TrickBot gang is infamous for distributing Ryuk and Conti ransomware to valuable targets (corporate victims) and BazarLoader is another tool to avoid using the highly detected Trojan.
The BazaCall malware delivery method began to be used at the end of January and continued until the end of March. Although the technique remains the same, the threat actors used various themes to trap the victims.
Previous campaigns have attracted fake subscriptions associated with companies in the pharmaceutical, floral, lingerie, medical or antivirus industries.
While BazarLoader and TrickBot are supposed to be created by the same group, call centers may be operated by a different gang, who hire them out for malware distribution.
To show what happens when an unsuspecting BazaCall victim calls the phone number in the phishing email, a security researcher Brad Duncan shared a video with the dialogue with the call center of the perpetrator of the threat.