This Entertainment-Themed Campaign Installs Malware in User Computer System

A popular phishing campaign tries to somehow get users to believe that they’ve enrolled in the film streaming platform to force customers to call on a phone number for cancellation – a technique that contains BazarLoader malware that harms the computer. 

BazarLoader is a C++ downloader for installing and performing other modules. In April 2020, BazarLoader was first observed by Proofpoint. 

BazarLoader develops a backdoor on Windows machines that could be exploited to provide initial access to other malware attacks – even ransomware. Ryuk Ransomware is generally delivered through BazarLoader, which can have severely harmful consequences to a successful compromise amongst cybercriminals. The operation of BazarLoader demands important human contact in the implementation and installation of the BazarLoader backdoor. 

The operator of the threat used customer service agents to lead victims to download and install the malware unwittingly. This campaign represents a broader pattern used as part of a sophisticated attack chain by BazarLoader threat actors that use call centers. 

The initial stage of the effort, which is detailed by cybersecurity investigators at Proofpoint, involves distributing tens of thousands of phishing emails affirming to come from ‘BravoMovies,’ a bogus movie streaming platform created by cybercriminals themselves. 

The site seems plausible and people behind it generated false film posters utilizing open-source pictures that are available online – but the way the site has numerous orthographic mistakes can suggest that something must be wrong if one looks very carefully. 

The email received states that the victim has subscribed and charged $39.99 a month – but if they contact a support number, that suspected subscription may be terminated. 

When the user contacts the number to which they are associated, the “customer service” professional claims to walk them through the withdrawal procedure – but what they are doing tells the unwitting victim how they may install BazaLoader on their computer systems. 

These are done by directing the caller to a “Subscription” website, wherein part of the procedure invites users to click a Microsoft Excel downloading link. This document contains macros that will silently upload BazarLoader to the system if it is activated, spreading malware on the victim’s PC. 

“Malicious attachments are often blocked by threat detection software. By directing people to phone the call center as part of the attack chain, the threat actors can bypass threat detection mechanisms that would otherwise flag its attachments as spam,” Sherrod DeGrippo, senior director of threat research and detection at Proofpoint, told ZDNet. 

“Social engineering is the key to this attack chain and threat actors depend upon their social engineering lures to cause recipients to take any action to complete the attack chain and get the malware on the target’s machine,” said DeGrippo further added. 

It should also be pointed out that while getting an e-mail claiming that the user’s credit card will be billed if they do not answer, with the creation of a sense of urgency such as this is a common method employed in phishing operations to make a user obey instructions.