The operators behind the BazaCall callback phishing method have continued to evolve with updated social engineering tactics to deploy malware to targeted networks.
The system ultimately acts as an entry point to conduct financial fraud or facilitate the delivery of next-stage payloads such as ransomware, cybersecurity firm Trellix said in a report released last week.
The main targets of the latest waves of attacks are the United States, Canada, China, India, Japan, Taiwan, the Philippines and the United Kingdom.
BazaCall, also referred to as BazarCall, first gained popularity in 2020 for its new approach to distributing the BazarBackdoor (aka BazarLoader) malware by manipulating potential victims into calling a phone number specified in decoy email messages.
These email baits aim to create a false sense of urgency, notifying recipients of a trial subscription renewal for, say, an antivirus service. The messages also direct them to contact their support department to cancel the plan, or risk being automatically charged for the premium version of the software.
The ultimate goal of the attacks is to allow remote access to the terminal under the pretext of terminating the supposed subscription or installing a security solution to rid the machine of malware, thus opening the way for follow-up activities.
Another tactic operators have adopted is to pose as incident responders in PayPal-themed campaigns to trick the caller into thinking their accounts were accessed from eight or more devices. spread out in random locations around the world.
Regardless of the scenario used, the victim is prompted to launch a specific URL – a specially crafted website to download and run a malicious executable which, among other files, also drops legitimate ScreenConnect remote desktop software.
Successful persistent access is tracked by the attacker opening fake cancellation forms which ask the victims to fill in personal information and log into their bank accounts to make the refund, but in reality they are tricked into sending the money to the crook.
The development comes as at least three different spin-off groups from the Conti ransomware cartel have adopted the phishing callback technique as an initial intrusion vector to breach corporate networks.
The links with Conti do not stop there. BazarBackdoor, for its part, is the creation of a cybercrime group known as TrickBot, which was taken over by Conti earlier this year before the latter was shut down in May-June 2022 due to its allegiance to the Russia in its assault on Ukraine.