Malvar BazarCall (or BazaCall) for the first time was found in January 2021. The malware got this name due to the fact that at first it was used to spread BazarLoader. And although now BazarCall is distributing another malware, the name stuck.
BazarCall operators follow a simple but very effective scheme. It traditionally starts with phishing emails, and in order to attract the attention of a future victim, hackers use decoys associated with free trials of various products and supposedly expiring subscriptions for medical, IT or financial services (which must be canceled urgently in order to avoid being charged). In this case, all letters contain instructions, according to which, to cancel the subscription, the recipient must call the specified phone number.
By calling this number, the user contacts the call center, whose English-speaking operator will conduct a step-by-step instruction for the victim. First, the operator will force the gullible user to provide the unique customer identifier specified in the letter. Thus, the call center will determine what is being said with the victim of the BazarCall campaign. If you give the wrong number, the operator will say that the subscription has already been canceled and will say goodbye.
If the number is valid, the caller will be forced to visit a malicious site and download an Office file (usually Excel or Word) from there, allegedly containing a form to unsubscribe. Then you need to disable security features and enable macros in the document, which will load the BazarLoader. In some cases, the operator may also ask the victim to disable the antivirus.
One of these calls was recorded and published on YouTube by information security expert Brad Duncan:
These spam campaigns almost always target users with corporate email addresses or addresses in the .edu zone. That is, hackers almost never attack ordinary users who use free email services, including Gmail, Hotmail and Yahoo. Obviously, the ultimate goal of attackers is to infect large corporate networks.
Due to the exotic method of spreading, the malware has a low detection rate on VirusTotal, because it does not spread publicly and is poorly detected by antivirus software.
Currently, BazarLoader is used to distribute malware such as TrickBot, IcedID, Gozi IFSB, and so on. In turn, Trickbot is used to deploy Ryuk or Conti ransomware, while IcedID was previously used to deploy Maze and Egregor ransomware.
Interestingly, the connection between BazarCall and TrickBot has previously been discovered the well-known cybersecurity expert Vitaly Kremez, – it is believed that both malware samples were created by the same hack group. However, BazarCall is not associated with other malware listed above.
Bleeping Computer writes that, according to analysts from Binary Defense, the fraudulent call center is operated by another hack group, for which the distribution of malware is a common service. At the same time, the call center works like a regular company: from Monday to Friday, observing business hours.
In recent days, it has not been possible to contact the criminals’ call center due to the constantly changing infrastructure. Due to the increased interest on the part of information security specialists, criminals are forced to change phone numbers and hosting very often.