Emails Lead to Fake Call Center Discussions that End With a ‘BazaLoader’ Infection

  • ‘BazaLoader’ actors send emails warning victims of an imminent charge for a fake subscription.
  • The recipients can supposedly cancel their subscription renewal by calling a fake support center.
  • This leads to the download of a macro-ridden Excel file that drops malware to the victim’s computer.

Actors spreading ‘BazaLoader’ to unsuspecting victims have found a new trick that works well against a large number of people, as Microsoft’s threat intelligence team warns in its latest report. The malware is being distributed through a campaign named ‘BazaCall,’ where the actors call the victims and pretend to be agents of call centers. They then move quickly to conduct extensive data exfiltration and credential theft, and before the first 48 hours have passed, they drop ransomware onto the infiltrated network.

Source: Microsoft
Source: Microsoft

At first, the target receives an email urging them to call the center themselves to avoid the renewal and credit charge for an alleged service of some form. The victim calls the representative, who then urges them to download an Excel file that they supposedly need to fill out to cancel the subscription. The file carries macros that fetch BazaLoader, a very dangerous malware that can give the actors remote control over the victim’s computer.

Source: Microsoft

If all that rings a bell to you, it is because this is precisely the same trick deployed by almost certainly the same actors in the May 2021 ‘BazaFlix’ campaign. Back then, the target received a message warning them about the imminent renewal of their subscription to a phony streaming service, leading to an alleged charge of $39.99. Again, Excel files carrying malicious macros were used for dropping the BazaLoader payload.

In the latest campaign, the actors use different themes like a cooking website membership, a photo editing service, WinRAR pro plans, and more. In all cases, the presented subscription cost is raised compared to the ‘BazaFlix’ emails, starting from $59.99 and going up to $320. To create a sense of urgency to call the fake agent, the email warns that the deadline to automatically renew the subscription ends in 24 hours.

Source: Microsoft
Source: Microsoft

The emails are usually sent by compromised accounts or from newly created ones on free services. Even if the victim is stopped from downloading the malicious file from the phony website, the agent on the phone instructs them on how to bypass the warning claiming that it’s a false flag. The Excel file is named “cancel_sub_[unique ID number].xlsb,” and it looks like that.

If you receive an email claiming that a charge for the renewal of a subscription you hear about for the first time is imminent, just delete it straight away. Remember, there are no legitimate services out there requiring you to download an Excel document in order to cancel your subscription, as this is overly cumbersome to fit any operational business context.

ICC World Test Championship Final 2023 Live Stream: How to Watch Test Cricket Online from Anywhere 
The pinnacle of test cricket is upon us, and the excitement is high ahead of what promises to be a thrilling contest...
How to Watch Avatar: The Way of Water Online from Anywhere
This year, Avatar: The Way Of Water became the third-highest-grossing picture of all time, collecting more than 2 billion dollars since its...
How to Watch It’s Always Sunny in Philadelphia Season 16 Online from Anywhere
It’s Always Sunny in Philadelphia Season 16 is here, and you will find below the premiere date, cast, plot, episode release schedule,...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari