Security researchers at Proofpoint have uncovered a new phishing campaign that involves hackers luring unsuspecting Internet users into downloading the BazaLoader malware dropper by making they believe they erroneously subscribed to a movie streaming service.
The phishing campaign, first discovered in early May by Proofpoint, involved hackers setting up a fake movie-streaming website called BravoMovies and populating the site with fake movie posters and additional content to make it appear genuine to unsuspecting visitors.
The hackers then proceeded to send carefully-crafted emails to hundreds of recipients, informing them that they had subscribed to BravoMovies, that they were on a 30-day free trial, and will be charged $39.99 a month after the end of the trial period. The recipients were, however, given the option to unsubscribe by calling a customer service number. The emails themselves did not contain any malicious attachments.
Once a curious recipient of the email calls the customer service number, they are directed by the fraudsters to navigate to the Frequently Asked Questions component of the website, and follow the instructions to unsubscribe via the “Subscribtion” page, and download an Excel sheet to complete the process. According to Proofpoint, the Excel sheet contains macros that, if enabled, will download BazaLoader, a downloader written in C++ that is used to download and execute additional modules.
“BazaLoader is a downloader written in C++ that is used to download and execute additional modules. Proofpoint first observed BazaLoader in April 2020. It is currently used by multiple threat actors and frequently serves as a loader for disruptive malware including Ryuk and Conti ransomware. Proofpoint assesses with high confidence there is a strong overlap between the distribution and post-exploitation activity of BazaLoader and threat actors behind The Trick malware, also known as Trickbot,” the security firm said in a blog post.
“Proofpoint has observed BazarLoader threat actors using the method of phone-based customer service representatives to direct malicious downloads since February 2021. Security researchers have dubbed this method “BazarCall”. Proofpoint has previously observed BazaLoader email threat campaigns requiring significant human interaction in order to execute the malware. The previous campaigns included subscription pharmaceutical services and lingerie and flower orders.
“Additionally, Proofpoint researchers have observed similar infection chains leading to the distribution of The Trick instead of BazaLoader. By leveraging attack chains that require a lot of human interaction, threat actors can bypass some automated threat detection services that only flag on malicious links or attachments in email. Proofpoint anticipates the threat actors behind BazaLoader and The Trick will continue to use these techniques in future campaigns,” it added.
According to Ray Walsh, Digital Privacy Expert at ProPrivacy, the fake streaming service is designed to look legitimate and offers a catalogue of popular films. The reality is, that anybody who downloads content from its website is likely to become infected with BazaLoader malware that is then used by hackers to further infect devices with dangerous ransomware.
“Those who receive an email from BravoMovies informing them that their trial period is over and they will be charged, need to be aware that they are being scammed. They should not respond to the email or follow any of its instructions, those who follow the link – or call the telephone number to speak to customer service are then coaxed by hackers into downloading an excel spreadsheet that contains the BazaLoader malware used to spread the ransomware attack.”