January 28, 2021
Actors spreading ‘BazaLoader’ to unsuspecting victims have found a new trick that works well against a large number of people, as Microsoft’s threat intelligence team warns in its latest report. The malware is being distributed through a campaign named ‘BazaCall,’ where the actors call the victims and pretend to be agents of call centers. They then move quickly to conduct extensive data exfiltration and credential theft, and before the first 48 hours have passed, they drop ransomware onto the infiltrated network.
At first, the target receives an email urging them to call the center themselves to avoid the renewal and credit charge for an alleged service of some form. The victim calls the representative, who then urges them to download an Excel file that they supposedly need to fill out to cancel the subscription. The file carries macros that fetch BazaLoader, a very dangerous malware that can give the actors remote control over the victim’s computer.
If all that rings a bell to you, it is because this is precisely the same trick deployed by almost certainly the same actors in the May 2021 ‘BazaFlix’ campaign. Back then, the target received a message warning them about the imminent renewal of their subscription to a phony streaming service, leading to an alleged charge of $39.99. Again, Excel files carrying malicious macros were used for dropping the BazaLoader payload.
In the latest campaign, the actors use different themes like a cooking website membership, a photo editing service, WinRAR pro plans, and more. In all cases, the presented subscription cost is raised compared to the ‘BazaFlix’ emails, starting from $59.99 and going up to $320. To create a sense of urgency to call the fake agent, the email warns that the deadline to automatically renew the subscription ends in 24 hours.
The emails are usually sent by compromised accounts or from newly created ones on free services. Even if the victim is stopped from downloading the malicious file from the phony website, the agent on the phone instructs them on how to bypass the warning claiming that it’s a false flag. The Excel file is named “cancel_sub_[unique ID number].xlsb,” and it looks like that.
If you receive an email claiming that a charge for the renewal of a subscription you hear about for the first time is imminent, just delete it straight away. Remember, there are no legitimate services out there requiring you to download an Excel document in order to cancel your subscription, as this is overly cumbersome to fit any operational business context.