AdvIntel has released a new publication about several threat actors now using BazarCall in an effort to raise awareness of this threat.
What is BazarCall and how does it work?
BazarCall, also known as call back phishing, is a method used by cybercriminals to target victims via elaborate phishing.
It all starts with an email, as is often the case. The threat actor sends legitimate-looking email to targets, pretending they have subscribed to a service with automatic payment. The email contains a phone number in case the target wants to cancel the subscription and avoid paying for it. There is no other way to reach the subscription service other than making a phone call.
When the victims call the phone number controlled by the threat actor, various social engineering methods are used to convince the victims to allow remote desktop control via legitimate software, supposedly to help them cancel their subscription service without any stress.
Once in control of the computer, the threat actor weaponizes legitimate tools while pretending to assist with remote desktop access, still using social engineering techniques. On an interesting note, the weaponized tools were previously typical of Conti’s arsenal.
Once done, the threat actor has a functional backdoor to the victim’s computer, which can later be used for further exploitation (Figure A).
Several ransomware threat actors at stake
According to AdvIntel, at least “three autonomous threat groups have adopted and independently developed their own targeted phishing tactics derived from the call back phishing methodology.”
The call back phishing attack is heavily tied to Conti, the infamous ransomware threat actor who broke into several different groups in 2021. The three threat groups using this attack technique are separate yet connected.
SEE: Mobile device security policy (TechRepublic Premium)
Silent Ransom, also known as Luna Moth, became an autonomous group when Conti splitted and have proven to be successful. According to AdvIntel, Silent Ransom is the progenitor of all current post-Conti phishing campaigns, with an average revenue close to the $10 billion USD revenue mark (Figure B).
The legitimate tools this threat group uses when operating their BazarCall operations are AnyDesk, Atera, Syncro, SplashTop, Rclone, SoftPerfect Network Scanner or SharpShares. Their initial phishing email usurpates several legitimate services like Duolingo, Zoho or MasterClass services.
Another subdivision of Conti, dubbed Quantum, uses the BazarCall technique. This threat actor allies with the Russian invasion into Ukraine and is responsible for the Costa Rica attack. According to AdvIntel, this group invested a lot into hiring spammers, OpenSource Intelligence (OSINT) specialists, call center operators and network intruders. The researchers indicate that “as a highly skilled (and most likely government-affiliated) group, Quantum was able to purchase exclusive email datasets and manually parse them to identify relevant employees at high-profile companies.”
The third threat group using the BazarCall technique is Roy/Zeon. Its members were responsible for the creation of the Ryuk ransomware. This group tends to only target the most valuable sector/industry.
Researchers from AdvIntel point out that callback phishing drastically changed the ransomware’s victimology for the groups using it (Figure C).
The targeted nature of these attack campaigns increased attacks against finance, technology, legal and insurance. These four industries were listed in all internal manuals shared between ex-Conti members yet manufacturing still seems to be the most targeted industry.
Why is BazarCall a revolution for ransomware threat groups?
While similar fraud exists with technical support scams, this approach of using a call center to infect computers was previously not used in ransomware operations.
Ransomware campaigns, most of the time, rely on the same attack patterns and completely changing the method of infection is surely making the infection success rate increase.
Furthermore, it only takes legitimate tools to get the initial access to the targeted computer and to further access it. Those tools are usually not flagged as suspicious by antivirus or security solutions.
This all makes BazarCall a very interesting technique for ransomware operators.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
How to protect from this threat?
The initial email sent by the attackers should already raise suspicion. While it impersonates legitimate services, it is sent from third party email services, and often contains some mistakes in its content or form.
The fact that there is only one way to reach the subscription service is also suspicious, when every service provider always makes it as easy as possible for the customer who generally can choose between several ways of reaching the service handlers.
Email security solutions should be deployed in order to detect such phishing emails, in addition to antivirus and endpoint security software.
No user should ever provide remote desktop access to anyone who is not truly identified and trusted. If done and suspicion rises, the computer should immediately be disconnected from the internet, all user passwords changed and a full scan with antivirus and security solutions need to be run on the system. In case the suspected computer is connected to a corporate network, the system administrator and IT team should be immediately reached, to check the whole network integrity.
Basic hygiene should also always be respected: All operating systems and software should always be up to date and patched, to prevent from being compromised by a common vulnerability.
Disclosure: I work for Trend Micro, but the views expressed in this article are mine.