H-ISAC TLP White Threat Bulletin: UPDATE: BazaCall Campaign Targets Healthcare Entities - July 30, 2021

Microsoft has published BazaCall: Phony Call Centers Lead to Exfiltration and Ransomware, detailing new insights derived from their continued investigation into BazaCall campaigns.  

The BazaCall campaigns use emails that instruct recipients to call a number to cancel their supposed subscription to a service. When victims call the number, they reach a fraudulent call center operated by attackers who tell them to visit a website and download an Excel file to cancel the service. This file contains a malicious macro that downloads the payload.

When the Excel macros are enabled, the BazaCall malware will be downloaded and executed on the victim's computer, which then deploys ransomware.

This campaign is named after BazaLoader, the malware it initially distributed. The malware is designed to provide backdoor access to an infected Windows device. Attackers can then send other forms of malware, scan the target environment, and go after other vulnerable machines on the same network. The group behind BazaLoader uses different methods to distribute its malware.

Please review the Microsoft Security Blog post for additional insight. 

While this is not the first time cybercrime gangs have worked together with underground call centers, this is the first time we have seen a major malware distributor, such as the BazarLoader gang, use this tactic on a large scale.

Like many malware campaigns, BazaCall starts with a phishing email but from there deviates to a novel distribution method; using phone call centers to distribute malicious Excel documents that install malware. View the entire Thread Bulletin below.