Emails Lead to Fake Call Center Discussions that End With a ‘BazaLoader’ Infection

  • ‘BazaLoader’ actors send emails warning victims of an imminent charge for a fake subscription.
  • The recipients can supposedly cancel their subscription renewal by calling a fake support center.
  • This leads to the download of a macro-ridden Excel file that drops malware to the victim’s computer.

Actors spreading ‘BazaLoader’ to unsuspecting victims have found a new trick that works well against a large number of people, as Microsoft’s threat intelligence team warns in its latest report. The malware is being distributed through a campaign named ‘BazaCall,’ where the actors call the victims and pretend to be agents of call centers. They then move quickly to conduct extensive data exfiltration and credential theft, and before the first 48 hours have passed, they drop ransomware onto the infiltrated network.

Source: Microsoft
Source: Microsoft

At first, the target receives an email urging them to call the center themselves to avoid the renewal and credit charge for an alleged service of some form. The victim calls the representative, who then urges them to download an Excel file that they supposedly need to fill out to cancel the subscription. The file carries macros that fetch BazaLoader, a very dangerous malware that can give the actors remote control over the victim’s computer.

Source: Microsoft

If all that rings a bell to you, it is because this is precisely the same trick deployed by almost certainly the same actors in the May 2021 ‘BazaFlix’ campaign. Back then, the target received a message warning them about the imminent renewal of their subscription to a phony streaming service, leading to an alleged charge of $39.99. Again, Excel files carrying malicious macros were used for dropping the BazaLoader payload.

In the latest campaign, the actors use different themes like a cooking website membership, a photo editing service, WinRAR pro plans, and more. In all cases, the presented subscription cost is raised compared to the ‘BazaFlix’ emails, starting from $59.99 and going up to $320. To create a sense of urgency to call the fake agent, the email warns that the deadline to automatically renew the subscription ends in 24 hours.

Source: Microsoft
Source: Microsoft

The emails are usually sent by compromised accounts or from newly created ones on free services. Even if the victim is stopped from downloading the malicious file from the phony website, the agent on the phone instructs them on how to bypass the warning claiming that it’s a false flag. The Excel file is named “cancel_sub_[unique ID number].xlsb,” and it looks like that.

If you receive an email claiming that a charge for the renewal of a subscription you hear about for the first time is imminent, just delete it straight away. Remember, there are no legitimate services out there requiring you to download an Excel document in order to cancel your subscription, as this is overly cumbersome to fit any operational business context.

Latest
How to Watch She-Hulk: Attorney at Law Online on Disney Plus
The Marvel series string continues with yet another superhero, and you will be able to stream the episodes online quite easily, just...
How to Watch ’60 Days In’ Season 7 Online From Anywhere
A new season of 60 Days In is coming in soon on A&E, so we're excited to see what will happen in...
How to Watch Selena + Chef Season 4 Online From Anywhere
Our favorite cooking show starring pop star Selena Gomez is back for a brand new season, and we're excited to stream all...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari
[class^="wpforms-"]
[class^="wpforms-"]
[class^="wpforms-"]
[class^="wpforms-"]