BazarCall attack increasingly used by ransomware threat actors

BazarCall or call back phishing
Image: Adobe Stock

AdvIntel has released a new publication about several threat actors now using BazarCall in an effort to raise awareness of this threat.

What is BazarCall and how does it work?

BazarCall, also known as call back phishing, is a method used by cybercriminals to target victims via elaborate phishing.

It all starts with an email, as is often the case. The threat actor sends legitimate-looking email to targets, pretending they have subscribed to a service with automatic payment. The email contains a phone number in case the target wants to cancel the subscription and avoid paying for it. There is no other way to reach the subscription service other than making a phone call.

When the victims call the phone number controlled by the threat actor, various social engineering methods are used to convince the victims to allow remote desktop control via legitimate software, supposedly to help them cancel their subscription service without any stress.

Once in control of the computer, the threat actor weaponizes legitimate tools while pretending to assist with remote desktop access, still using social engineering techniques. On an interesting note, the weaponized tools were previously typical of Conti’s arsenal.

Once done, the threat actor has a functional backdoor to the victim’s computer, which can later be used for further exploitation (Figure A).

Figure A

BazarCall process infographic based on the Jörmungandr campaign run by Quantum threat actor.
BazarCall process infographic based on the Jörmungandr campaign run by Quantum threat actor. Image: AdvIntel

Several ransomware threat actors at stake

According to AdvIntel, at least “three autonomous threat groups have adopted and independently developed their own targeted phishing tactics derived from the call back phishing methodology.”

The call back phishing attack is heavily tied to Conti, the infamous ransomware threat actor who broke into several different groups in 2021. The three threat groups using this attack technique are separate yet connected.

SEE: Mobile device security policy (TechRepublic Premium)

Silent Ransom, also known as Luna Moth, became an autonomous group when Conti splitted and have proven to be successful. According to AdvIntel, Silent Ransom is the progenitor of all current post-Conti phishing campaigns, with an average revenue close to the $10 billion USD revenue mark (Figure B).

Figure B

Target revenue data for Silent Ransom threat group.
Image: AdvIntel

The legitimate tools this threat group uses when operating their BazarCall operations are AnyDesk, Atera, Syncro, SplashTop, Rclone, SoftPerfect Network Scanner or SharpShares. Their initial phishing email usurpates several legitimate services like Duolingo, Zoho or MasterClass services.

Another subdivision of Conti, dubbed Quantum, uses the BazarCall technique. This threat actor allies with the Russian invasion into Ukraine and is responsible for the Costa Rica attack. According to AdvIntel, this group invested a lot into hiring spammers, OpenSource Intelligence (OSINT) specialists, call center operators and network intruders. The researchers indicate that “as a highly skilled (and most likely government-affiliated) group, Quantum was able to purchase exclusive email datasets and manually parse them to identify relevant employees at high-profile companies.”

The third threat group using the BazarCall technique is Roy/Zeon. Its members were responsible for the creation of the Ryuk ransomware. This group tends to only target the most valuable sector/industry.

Changing victimology

Researchers from AdvIntel point out that callback phishing drastically changed the ransomware’s victimology for the groups using it (Figure C).

Figure C

BazarCall targets by sector of activity.
BazarCall targets by sector of activity. Image: AdvIntel

The targeted nature of these attack campaigns increased attacks against finance, technology, legal and insurance. These four industries were listed in all internal manuals shared between ex-Conti members yet manufacturing still seems to be the most targeted industry.

Why is BazarCall a revolution for ransomware threat groups?

While similar fraud exists with technical support scams, this approach of using a call center to infect computers was previously not used in ransomware operations.

Ransomware campaigns, most of the time, rely on the same attack patterns and completely changing the method of infection is surely making the infection success rate increase.

Furthermore, it only takes legitimate tools to get the initial access to the targeted computer and to further access it. Those tools are usually not flagged as suspicious by antivirus or security solutions.

This all makes BazarCall a very interesting technique for ransomware operators.

SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)

How to protect from this threat?

The initial email sent by the attackers should already raise suspicion. While it impersonates legitimate services, it is sent from third party email services, and often contains some mistakes in its content or form.

The fact that there is only one way to reach the subscription service is also suspicious, when every service provider always makes it as easy as possible for the customer who generally can choose between several ways of reaching the service handlers.

Email security solutions should be deployed in order to detect such phishing emails, in addition to antivirus and endpoint security software.

No user should ever provide remote desktop access to anyone who is not truly identified and trusted. If done and suspicion rises, the computer should immediately be disconnected from the internet, all user passwords changed and a full scan with antivirus and security solutions need to be run on the system. In case the suspected computer is connected to a corporate network, the system administrator and IT team should be immediately reached, to check the whole network integrity.

Basic hygiene should also always be respected: All operating systems and software should always be up to date and patched, to prevent from being compromised by a common vulnerability.

Disclosure: I work for Trend Micro, but the views expressed in this article are mine.

Source link

istanbul escort aksaray escort arnavutköy escort ataköy escort avcılar escort avcılar türbanlı escort avrupa yakası escort bağcılar escort bahçelievler escort bahçeşehir escort bakırköy escort başakşehir escort bayrampaşa escort beşiktaş escort beykent escort beylikdüzü escort beylikdüzü türbanlı escort beyoğlu escort büyükçekmece escort cevizlibağ escort çapa escort çatalca escort esenler escort esenyurt escort esenyurt türbanlı escort etiler escort eyüp escort fatih escort fındıkzade escort florya escort gaziosmanpaşa escort güneşli escort güngören escort halkalı escort ikitelli escort istanbul escort kağıthane escort kayaşehir escort küçükçekmece escort mecidiyeköy escort merter escort nişantaşı escort sarıyer escort sefaköy escort silivri escort sultangazi escort suriyeli escort şirinevler escort şişli escort taksim escort topkapı escort yenibosna escort zeytinburnu escort porno 1080p porno izle 4k porno izle 720p porno izle abella danger alman alman porno alman porno izle aloha tube porno amatör amatör porno amatör porno izle anal anal porno anal porno izle arap porno asa akira porno asyalı porno bangbros porno bangbros porno izle banyoda sikis başörtülü porno beeg porno izle beyaz tenli porno izle biseksuel porno izle bisexsuel porno brandi love porno brazzers brazzers porno izle canli porno canli porno izle çinli porno çinli porno izle ensest porno ensest porno izle ensest seks erotik porno erotik porno izle esmer porno esmer porno izle etek altı fake agent fake taxi fake taxi porno fantazi pornoları fantezi porno izle fetiş porno fetiş porno izle fetish fransız porno fransız porno izle full hd hg porno izle gangbang porno genç kız porno izle genç kız sikişi genç teen porno izle gizli çekim porno gizli çekim pornosu grup pornosu grup porno grup porno izle hd pornolar hd porno hd porno izle hemşire porno hemşire pornosu hizmetçi porno hizmetçi porno izle ingiliz porno japon pornoları japon porno kızlık bozma kızlık bozma porno izle konulu porno konulu porno izle koreli porno köylü pornoları kumral porno kumral porno izle latin pornoları latin porno latin porno izle lezbiyen pornoları lezbiyen porno lezbiyen porno izle lisa ann porno liseli pornoları liseli porno liseli porno izle manken porno manken porno izle masaj porno izle masturbasyon porno izle masturbasyon pornoları mature porno mia khalifa porno mia malkova porno milf porno izle mobil porno mobil porno izle öğrenci porno izle öğretmen porno izle okul porno izle olgun kadın pornosu olgun porno oral porno oral porno izle oral seks porna izle pornhub pornhub porno izle porno film izle porno indir porno izle porno resimler porno star porntube porno izle redtube redtube pornoları riley reid porno rokettube rus pornoları rus porno rus porno izle sakso blowjob porno izle sarışın pornoları sarışın porno sarışın porno izle sarışın pornoları sekreter porno shemale sikiş sikiş sikiş izle şişman porno siyahi pornoları suriyeli pornoları swinger porno tecavüz porno teen porn türbanlı pornoları türbanlı porno türk pornoları türk porno türk porno izle türkçe altyazılı porno türkçe altyazılı porno izle xhamster pornoları xhamster porno xhamster porno izle xnxx xnxx porno xnxx porno izle xvideos xvideos porno izle yaşlı porno yeşilçam porno izle youjizz youporn youporn porno izle zenci porno güvenilir bahis siteleri bahis siteleri casino deneme bonusu casino siteleri deneme bonusu para yatırma bonusu bahis siteleri casino siteleribahis sitesi para yatırma