Emails Lead to Fake Call Center Discussions that End With a ‘BazaLoader’ Infection

  • ‘BazaLoader’ actors send emails warning victims of an imminent charge for a fake subscription.
  • The recipients can supposedly cancel their subscription renewal by calling a fake support center.
  • This leads to the download of a macro-ridden Excel file that drops malware to the victim’s computer.

Actors spreading ‘BazaLoader’ to unsuspecting victims have found a new trick that works well against a large number of people, as Microsoft’s threat intelligence team warns in its latest report. The malware is being distributed through a campaign named ‘BazaCall,’ where the actors call the victims and pretend to be agents of call centers. They then move quickly to conduct extensive data exfiltration and credential theft, and before the first 48 hours have passed, they drop ransomware onto the infiltrated network.

Source: Microsoft
Source: Microsoft

At first, the target receives an email urging them to call the center themselves to avoid the renewal and credit charge for an alleged service of some form. The victim calls the representative, who then urges them to download an Excel file that they supposedly need to fill out to cancel the subscription. The file carries macros that fetch BazaLoader, a very dangerous malware that can give the actors remote control over the victim’s computer.

Source: Microsoft

If all that rings a bell to you, it is because this is precisely the same trick deployed by almost certainly the same actors in the May 2021 ‘BazaFlix’ campaign. Back then, the target received a message warning them about the imminent renewal of their subscription to a phony streaming service, leading to an alleged charge of $39.99. Again, Excel files carrying malicious macros were used for dropping the BazaLoader payload.

In the latest campaign, the actors use different themes like a cooking website membership, a photo editing service, WinRAR pro plans, and more. In all cases, the presented subscription cost is raised compared to the ‘BazaFlix’ emails, starting from $59.99 and going up to $320. To create a sense of urgency to call the fake agent, the email warns that the deadline to automatically renew the subscription ends in 24 hours.

Source: Microsoft
Source: Microsoft

The emails are usually sent by compromised accounts or from newly created ones on free services. Even if the victim is stopped from downloading the malicious file from the phony website, the agent on the phone instructs them on how to bypass the warning claiming that it’s a false flag. The Excel file is named “cancel_sub_[unique ID number].xlsb,” and it looks like that.

If you receive an email claiming that a charge for the renewal of a subscription you hear about for the first time is imminent, just delete it straight away. Remember, there are no legitimate services out there requiring you to download an Excel document in order to cancel your subscription, as this is overly cumbersome to fit any operational business context.



Why Is Demon Slayer So Popular?

In August 2019, the world suddenly started talking about an anime series that had just released its nineteenth episode. Fast forward to...

F1 Live Stream 2022: How to Watch Formula 1 Without Cable

There's not much time until the 2022 Formula 1 World Championship gets underway - the first race is scheduled for late March,...

Disney+ Announces Basketball Series Inspired By Award-Winning Book The Crossover

Disney Plus announced a new basketball-themed drama series that is set to land on the streaming platform, drawing inspiration from the critically...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari