‘BazaFlix’ Fakes Movie Streaming Service to Distribute Malware

  • ‘BazaFlix’ is a new campaign from ‘BazarLoader’ actors who are spreading their malware through macro-ridden Excel files.
  • The campaign relies upon making people believe that they are about to be charged $39.99 for a streaming subscription.
  • The same group was recently doing the same thing by using a different theme, so they could change to something else again.

A new tricky malware distribution campaign is going on right now using a fake movie streaming service called ‘BravoMovies’ as bait to convince victims to download BazarLoader. According to the report by Proofpoint researchers, who identified the campaign and collected all the evidence, the actors launched their malicious operation in early May, so it has been a month already. Contrary to the typical approach, this campaign requires quite an extensive victim interaction, but with the help of ‘BravoMovies,’ this aspect is covered adequately.

The infection starts with an email message that claims a trial period expiration and an automatic transfer to a premium plan in ‘BravoMovies.’ This comes with a charge of $39.99 per month - unless you have an objection of course. If you do, you are given a phone number to call, answered by a crook who pretends to be a support agent.

Source: Proofpoint

The victim is then directed to the ‘BravoMovies’ website, which hosts a document that is allegedly containing the instructions on how to cancel the subscription. This document contains BazarLoader, a dangerous malware that has been circulating the web since April 2020.

Source: Proofpoint

The document downloaded from the website is an Excel file containing malicious macros, so the victim is asked to “enable editing” and “enable content” to preview it. Hoping that they’ll cancel their subscription and avoid being charged, some victims follow this instruction and allow the code to run on their computer.

Source: Proofpoint

BazarLoader provides backdoor access for the actors, so it serves as a portal to drop more payloads, scan the environment, and possibly exploit vulnerabilities on other devices connected to the same network.

Palo Alto’s Unit 42 team has noticed and reported a similar campaign using the particular malware this month, and they named it “BazarCall” because it involved fake support agents directing victims to malicious websites that delivered macro-ridden spreadsheets. In that report, the email messages that initiated the infection chain claimed to come from a book service, warning about the premium trial coming to an end.

Source: Unit42

In BazaFlix, the three websites used are “bravomovies[.]net”, “bvcinema[.]net”, and “urbancinema[.]net”. All of them appear to be down when writing this, but judging from the above, we expect to see the actors jumping to other domains or different themes altogether. That said, if you receive an email making auto-charge claims, do not jump straight into action. Look at the signs of fraud, evaluate the claims with a clear mind and act with composure.

REVIEW OVERVIEW

Latest

How to Watch Two Shallow Graves: The McStay Family Murders Online From Anywhere

If you enjoy crime documentaries, we have a recommendation for you as Investigation Discovery has just released a brand-new limited docu-series. It...

How to Watch Beat Shazam Season 5 Online From Anywhere

The game show that will have you on your feet is set to launch a new season pretty soon, and we have...

How to Watch Don’t Forget the Lyrics! Online From Anywhere 

It's summer, so game shows are on! The newest addition to the list comes from Fox, and it's a revival of a...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari