Experts warn about an unusual approach to infect targets with BazarLoader — a notorious strain frequently used to deliver ransomware. The hacker collective, dubbed BazarCall, abuses call center functionality to trick victims into downloading the malicious payload. The campaign has been active since at least February 2021, continuously adding new tricks to increase its notoriety.

BazarCall Attack Kill Chain

According to the inquiry from Palo Alto Networks, the attack chain typically starts from a phishing email impersonating the service support team. The email carries a fake notification to warn the victim about the end of a trial subscription and the upcoming billing. To prevent charging the victims are urged to call a phone number of a help center for further guidance. If victims are tricked to make a call, the operator leads them to a fake company website, ensuring they download a malicious Excel document and enable macros. As a result, Windows installations got infected with BazarLoader. Also, security experts note that the Cobalt Strike pentest kit is often used as a follow-up malware. BazarCall hackers leverage it to steal Active Directory database credentials and perform lateral movement inside the compromised network.

The nefarious campaign has recently grabbed the attention of Microsoft’s Security Intelligence team. As they observe an increasing number of phishing emails targeting Office 365 users, Microsoft experts are now investigating the malicious activity of BazarCall. To power the community activities they have launched a dedicated GitHub page aimed at sharing the details about the ongoing campaign.

What Is BazarLoader?

BazarLoader is a popular malware strain frequently used by various threat actors to drop second-stage payloads to the targeted network. It is written in C++ and has been active in the malicious arena since at least 2020.

The malware provides backdoor access to the targeted Windows machine and allows hackers to send follow-up malicious strains, perform reconnaissance, and exploit other exposed devices on the compromised environment. Previously, it was actively used by Ruyk maintainers as a downloader for the final ransomware payload.

Recently, researchers observed a major development of BazarLoad’s infection methods. Apart from a fake call center approach, the malware was spotted to be delivered via popular collaboration tools like Slack and BaseCamp. In all cases, BazarLoad leverages Trickbot’s command and control infrastructure for operation. Therefore, security practitioners suspect that Trickbot maintainers might stand behind mentioned malicious activity.

BazarCall Campaign Detection

To detect BazarLoader malware delivered in the course of the BazarCall campaign, you can download a community Sigma rule developed by our keen Threat Bounty developer Osman Demir. 

https://tdm.socprime.com/tdm/info/YsgLz3RxzMT5/#sigma

The rule has translations to the following languages:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Sumo Logic, ELK Stack, LogPoint, Humio, RSA NetWitness, FireEye, Securonix

EDR: SentinelOne, Carbon Black

MITRE ATT&CK: 

Tactics: Execution, Defense Evasion

Techniques: Command and Scripting Interpreter (T1059), Signed Binary Proxy Execution (T1218)

To check the full list of Threat Detection Marketplace content associated with BazarLoader malware, you can follow this link. 

Subscribe to Threat Detection Marketplace for free and reach the industry-leading Content-as-a-Service (CaaS) platform that powers complete CI/CD workflow for threat detection. Our library aggregates over 100K qualified, cross-vendor, and cross-tool SOC content items mapped directly to CVE and MITRE ATT&CK® frameworks. Enthusiastic to craft your own Sigma rules? Join our Threat Bounty program and get rewarded for your input!

Go to Platform Join Threat Bounty