Η Microsoft warns that his "business" BazarCall (or Bazacall) malware is more dangerous than estimated, as the initial attacks can lead to ransomware attacks within 48 hours.
The malware operators have targeted Office 365 users with phishing email refers to the "expiration" of trial subscriptions, to trick them into calling a call center and talking to an operator, who then tries to trick the victim into installing Bazarcall malware.
The Microsoft 365 Defender Threat Intelligence Team has identified this cybercrime gang in June, while in one new post describes how it is a more dangerous threat than originally estimated, given the fact that allows attackers to distribute ransomware or steal data within just 48 hours of "infection".
In addition, Microsoft stated the following: "Apart from the backdoor capabilities, the BazaLoader payload distributed in these malicious campaigns also gives a remote intruder hands-on-keyboard control on the device of an affected user, which allows rapid network breach. "In our view, the attacks coming from the BazarCall threat could move quickly within a network, carry out extensive data deletion and theft of credentials, and distribute ransomware within 48 hours of the initial breach."
The BazarCall team apparently collaborated with the team behind it Ryuk ransomware, which has gained about $ 150 million in Bitcoin from its attacks.
Some notable various with the BazarCall team tactic is that they do not use phishing links or send malicious attachments, which help to avoid classic detection systems. The technique is closer to call center swindlers, while the victims are linked to a human operator.
The call center and email address sections are shown quite well organized. While the subject lines in the emails are repeated, each email is marked with a unique alphanumeric string, creating a user ID or transaction code, in order to identify the victim in multiple calls.
The initial call center operator discusses the ending subscription and then recommends that the victim visit a fake website, where it is supposed to cancel the subscription to avoid future monthly charges.
Microsoft has provided additional details about the malicious macros used by the team in Excel files to download it Cobalt Strike penetration testing kit, to gain “hands-on-keyboard” control of the victim machine and to search a network for administrator and domain administrator account information, with the aim of stealing data or developing Ryuk or Accounts ransomware.
The representative instructs the victim to navigate to the account page and cancel the subscription by downloading a file, which turns out to be an Excel document with macro capability. A call center spokesman tells the victim to turn on the content in Microsoft's default warning in Excel that the macros have been turned off.
In cases where ransomware was developed after a breach, the attacker used high privilege breached accounts with Cobalt Strike's PsExec functionality to distribute Ryuk or Conti ransomware on network devices, Microsoft added.
Source of information: zdnet.com