BazarCall
BazarCall is a phishing toolkit and callback-based social engineering campaign used as an initial access mechanism to infect victims with malware. It was observed being distributed via live call centers beginning in late January and was named BazarCall, or BazaCall, because it was initially used to install BazarLoader. The campaign typically starts with phishing emails sent to corporate users claiming that a free trial is about to expire and that the recipient will be charged unless they cancel by calling a phone number. Emails often impersonate fictitious companies such as Medical reminder service, Inc., iMed Service, Inc., Blue Cart Service, Inc., and iMers, Inc., and use subjects including "Thank you for using your free trial" and "Your free trial period is almost over!"
When a victim calls, a live call center agent asks for a unique customer ID from the email to validate whether the caller is a targeted victim. Validated victims are directed to a fake website posing as the service company, where entering the customer ID triggers download of a malicious Excel file in .xls or .xlsb format. The victim is then instructed to open the file and click "Enable Content" to activate malicious macros; in some observed cases, operators also told victims to disable antivirus software. Enabling the macros downloads and executes malware on the victim system.
Although BazarCall initially delivered BazarLoader, reporting states that it later also distributed TrickBot, IcedID, Gozi IFSB, and other malware. These infections can provide remote access into compromised corporate networks and enable lateral movement, data theft, and ransomware deployment. BazarLoader and TrickBot have been used to deploy Ryuk and Conti ransomware, while IcedID has been used to deploy Maze and Egregor. Microsoft Security Intelligence also described BazarCall as a scam that infects victims by getting them to call a fake call center, and reporting noted that BazarCall infections can lead to Anchor malware, which uses DNS tunneling for command-and-control.
The campaign has been linked in reporting to operators associated with Conti and Ryuk activity, and researchers initially linked later Silent Ransom Group/Luna Moth operations to BazarCall-style attacks. EclecticIQ linked Luna Moth to operators behind the BazarCall campaign, which previously deployed Conti and Ryuk ransomware. Researchers assessed the operation may function as a Distribution-as-a-Service platform used by multiple threat actors. The campaign remained effective in part because payloads often had low detection rates and the operators frequently rotated phone numbers and hosting infrastructure.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Изначально исследователи связывали хакеров с атаками BazarCall, которые использовалась операторами таких вымогательских групп, как Conti и Ryuk.
The new malware was discovered being distributed by call centers in late January and is named BazarCall, or BazaCall, as the threat actors initially used it to install the BazarLoader malware.
Techniques & procedures
7 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniquesLike many malware campaigns, BazarCall starts with a phishing email but from there deviates to a novel distribution method - using phone call centers to distribute malicious Excel documents that install malware.
Instead of bundling attachments with the email, BazarCall emails prompt users to call a phone number to cancel a subscription before they are automatically charged.
Execution
2 techniquesWhen the Excel macros are enabled, the BazarCall malware will be downloaded and executed on the victim's computer.
When the user enters their customer ID number, the website will automatically prompt the browser to download an Excel document (xls or xlsb). The call center agent will then help the victim open the file and clicking on the 'Enable Content' button to enable malicious macros. | The call center agent will then help the victim open the file and clicking on the 'Enable Content' button to enable malicious macros.
Command and Control
2 techniquesIn the past several years, we have seen multiple malware samples using DNS tunneling to exfiltrate data... Anchor malware that uses DNS tunneling to communicate with C2 servers... DNS tunneling is an old technique that allows attackers to communicate with C2 servers and exfiltrate data through many firewalls.
When the Excel macros are enabled, the BazarCall malware will be downloaded and executed on the victim's computer.
Other
1 techniqueIOCs tracked for this family
3 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Recent activity
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
BazarCall is referenced as a named attack framework/campaign used for callback-phishing style initial access and associated with operators of major ransomware groups.
Named malware/social-engineering delivery cluster referenced in the content with alternate spellings.
A callback-phishing campaign/toolset associated in the content with operators later linked to Luna Moth and previously used to facilitate deployment of ransomware.
A social-engineering-driven malware loader campaign that tricks victims into calling a fake call center, leading to malware infection.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.