Cybersecurity Threat Advisory 0033-21: Malicious Call Centers Spreading BazarLoader Malware
Security researchers have released their latest findings on BazarLoader, malware that provides backdoor access to an infected Windows host. Threat actors will use this malware to infect and infiltrate a victim’s system, send follow-up malware and exploit other vulnerable hosts. Reports show that BazarLoader threat actors send malicious emails under the guise of a notification that a trial subscription is expiring that encourages potential victims to call a malicious call center. An operator answers and guides victims into infecting their computers with the malware.
SKOUT recommends deploying advanced endpoint protection and spam filtering to protect against BazarLoader.
Technical Detail & Additional Information
WHAT IS THE THREAT?
The threat actor behind BazarLoader is using a unique chain of attack in order to gain access to their victims’ systems. The malicious call center will tell the victim to download an Excel file and enable macros. Once the macros are enabled, the computer will run the BazarLoader executable, and threat actors will be able to exfiltrate data, complete further reconnaissance, and attack other hosts on your network.
WHY IS IT NOTEWORTHY?
Attacks with BazarLoader have spiked and continued to develop new functionality and tools, increasing the ease, speed, and profitability of victimization. After initial installation, threat actors will install “follow-up malware” like Cobalt Strike, Anchor and even the infamous Ryuk ransomware-as-a-service. Outside of these three documented ransomware variants, BazarLoader’s backdoor access could allow threat actors to load other types of malware onto an infected window’s host.
WHAT IS THE EXPOSURE OR RISK?
Since Bazar was discovered in 2016 it has been involved in information stealing, credential theft, ransomware, bitcoin mining, and loading other common crimeware malware as a first or second stage loader. The malware has recently added a Remote Desktop Protocol (RDP) brute force, scanner module, an Active Directory (AD) harvesting module. It is important to note that its TrickBot group prefers to use shellcode “file-less” modules making detection more difficult. The access that BazarLoader offers threat actors into peoples’ systems could lead to extended periods of downtime, lost revenue and damage to a business and should not be taken lightly.
WHAT ARE THE RECOMMENDATIONS?
To prevent infection, SKOUT recommends that MSPs take the following actions:
- Deploy advanced endpoint protection throughout your network and ensure the agents are updated.
- Perform end user training to be wary of suspicious calls asking victims to perform unusual actions and emails that may contain malicious links or attachments.
- Implement email protection to defend against phishing attacks.
For more in-depth information about the recommendations, please visit the following links:
If you have any questions, please contact our Security Operations Center.