Microsoft is warning of malware spread via call centers

Criminals use a variety of methods to distribute malware, including, in some cases, call centers. Microsoft cybersecurity researchers have warned of a group using the technique to spread the BazarLoader malware loader.

A post by Palo Alto Networks’ Brad Duncan (via ZDNet) explains that BazarLoader provides backdoor access to an infected Windows host. Once downloaded, criminals use the backdoor to send follow-up malware, such as ransomware, scan the environment, and exploit other vulnerable hosts on the network.

Those behind BazarLoader use a variety of distribution methods. In February this year, researchers began reporting a call center-based technique, dubbed BazarCall, which takes advantage of the less tech-savvy.

The process begins with a victim receiving an email claiming a trial subscription they signed up for has expired and their credit card will be automatically charged unless they ring the included call center number to cancel the sub.

Anyone who does call the number will be directed to a fake company website and told to download an Excel file. The call center operator then instructs the victim to enable macros on the file, allowing the machine to be infected with BazarLoader, at which point the target is informed they have been unsubscribed.

Microsoft Security Intelligence tweeted that it is tracking the BazarCall malware campaign and is warning people to be cautious. It also says it has observed the attackers using Cobalt Strike penetration testing kits to steal credentials, including the Active Directory (AD) database, and exfiltrate data using rclone.

“The lack of malicious elements in the emails can be a challenge for detection. Microsoft 365 Defender’s cross-domain visibility allows endpoint signals to inform Microsoft Defender for Office 365 protections against the emails, ensuring comprehensive defense against this attack,” explains Microsoft’s security team.

Microsoft has created a GitHub page that offers more insight into BazarCall that’s being updated as it continues tracking the malware.