BazaLoader campaign uses fake streaming services to evade detection

What is it?

Cyber-criminals continue to evolve their social engineering tactics to evade corporate network detection measures and deliver malicious payloads.

Proofpoint recently discovered attackers are operating a call center-like capability, where a live agent answers a call and directs victims to a fake movie streaming website. The BazaLoader campaign relies on the victim initially being contacted via phishing emails. The attackers create a sense of concern and urgency by sending messages that the victim will be charged for a subscription, resulting in the installation of the BazaLoader trojan.  

Social engineering is a concept regularly discussed in Threat Reports as a common component of successful attack chains. Attackers continue to utilize social engineering because it is effective. As with any other attack technique, social engineering tactics continually evolve, in an arms race of sorts, as defenders raise awareness of successful campaigns. Recently, Proofpoint described a novel approach used to distribute the BazaLoader trojan involving an actual person answering phone calls, redirecting victims to a fake movie streaming service website. BazaLoader was first discovered by Proofpoint in April 2020 and is used by attackers to download other malicious payloads, including some Conti and Ryuk ransomware campaigns. 

The campaign described by Proofpoint begins with potential victims receiving phishing emails claiming to relate to trial periods for streaming services expiring soon. The streaming services are all fake, using names such as BravoMovies, UrbanCinema and BOMovie, among others. The body of the phishing emails states the target’s credit cards will be charged, soon, if the subscriptions are not canceled. To this point, it sounds like a  common phishing lure, which would usually include a malicious attachment, claiming to be an invoice, bill, or account statement, etc. which the victim would be enticed to open causing a download of a malicious payload. However, in this case, the phishing emails list a phone number and advise the victim to call a customer service number, where a customer service representative will assist them  

When a victim calls  the phone number, it is answered by a human, who talks them through opening the fake streaming service’s website. The agent helps them navigate to a FAQ page where they will find a link to the subscription page, which contains an option to cancel. At first glance, the websites created for these campaigns are a reasonable facsimile of legitimate streaming sites. However, on closer inspection, they appear to be created with a generic website creator, contain grammatical and spelling errors, and list fake movies. It can be assumed that victims don’t notice the fake information, grammatical errors, etc. because they are focused on avoiding the charges.  

If the user clicks the cancel button, an Excel binary file format document (XLSB) containing a malicious Excel 4.0 macro is downloaded. Common to many Bazar Loader campaigns, this malicious document is known as CampoLoader, named for the download URL. The use of Excel 4.0 macros for malicious purposes has been growing in popularity since around February 2020. These macros are a valid Excel feature, added to the product in 1992, and are used by attackers as an evasion method.  It is important to point out that they are more cumbersome to reverse engineer than more commonly used VBA macros. From a user’s perspective, it looks like any other malicious Excel file, showing an image, requesting the enable content option to be selected, which allows the malicious macro to run. If the macro can execute, it downloads and runs the actual Bazar Loader payload. 

This is not the first time the BazaLoader attackers have used this attack chain, since January 2021, there have been several campaigns using lures other than streaming services, such as fake floral, lingerie, pharmaceutical and anti-virus organizations. What’s interesting about this attack chain is the malicious CampoLoader XLSB file is directly downloaded from a website, as is the final Bazar Loader payload. This indicates the elaborate social engineering efforts – the call center and fake streaming service websites – are being used to obviate the need to attach a malicious document to the phishing email; and therefore, evade potential detection of malicious documents in email. It could be an example of attackers adapting to many additional employees still working from home due to the pandemic. Corporate email protections still apply to remote users, however, web browsing usually goes directly from the user’s laptop to the internet, through their home network.                                                                                  

How Does BazaLoader Propagate? 

The malware does not contain the necessary code to self-propagate. This campaign relies on significant social engineering techniques to convince the user to open a malicious XLSB file, resulting in the downloading and execution of the BazaLoader malware. 

When/How Did BluVector Detect It? 

The BazaLoader sample related to this campaign was tested and BluVector patented Machine Learning Engine (MLE) detected it. Regression testing has shown the sample would have been detected 79 months prior to its release. The malicious XLSB file was also detected by BluVector MLE. 

All Threat Reports