The individuals who created the BazaCall callback phishing technique have kept up with new social engineering techniques to spread malware on targeted networks.

The Vulnerability

According to a report released last week by cybersecurity firm Trellix, the plan eventually serves as a launchpad for carrying out financial fraud or distributing advanced payloads like ransomware.

The U.S., Canada, China, India, Japan, Taiwan, the Philippines, and the U.K. are among the nations that have recently been the main targets of attack waves.

BazaCall, also known as BazarCall, became well-known in 2020 for its innovative method of disseminating the malware known as BazarBackdoor (also known as BazarLoader) by tricking potential victims into dialing a phone number provided in phoney email messages.

By telling the recipients that a trial subscription for, say, an antivirus service is about to expire, these email traps try to provide the impression of urgency. Additionally, the messages advise them to cancel the plan by contacting their support department. Let them be charged for the premium version of the software without their consent.

The attacks’ main objective is to grant remote access to the endpoint while pretending to cancel the fictitious subscription. Or to install security software to clean the computer of infection, essentially opening the door for further actions.

The operators also use the ruse of incident responders in campaigns with a PayPal theme to trick the caller into believing that their accounts were accessed from eight or more devices dispersed across various random locations across the globe.

No matter the scenario used, the victim is prompted to open a certain URL, which leads to a website that has been carefully constructed to download. And run a malicious executable that, among other files, also drops the genuine ScreenConnect remote desktop programme.

After gaining successful persistent access, the attacker will open phoney cancellation forms. Tricking the victims into sending money to the fraudster by asking them to provide personal information and bank account login credentials.

The Recommendations

The change coincides with the adoption of the call-back phishing tactic as an initial infiltration vector by at least three distinct spinoff organizations of the Conti ransomware cartel.

There are still connections to Conti. TrickBot, is a cybercrime organization that taken over by Conti earlier this year and shut down in May or June of 2022. Due to its adherence to Russia in its attack on Ukraine, is the organization behind BazarBackdoor.