"Hackers Using Fake Streaming Site to Distribute BazaLoader Malware Dropper"
Security researchers at Proofpoint discovered a new phishing campaign involving a fake movie-streaming website called BravoMovies that displays posters for popular films and other content in order to make it seem legitimate to unsuspecting visitors. The hackers behind the site sent carefully crafted emails to hundreds of recipients, notifying them that they subscribed to the BravoMovies streaming service on a 30-day free trial and will be charged $39.99 after the trial period ends. The emails themselves do not contain malicious attachments, but they do present a customer service number claimed to allow recipients to unsubscribe once called. When the recipient calls the customer service number, the fraudsters direct them to visit the Frequently Asked Questions (FAQ) page of the website, follow instructions to unsubscribe via the Subscription page, and download an Excel sheet to complete the process. The Excel sheet contains macros that download BazaLoader if enabled. BazaLoader is a downloader written in C++ used to download and execute additional modules. According to Proofpoint, multiple threat actors have been observed using BazaLoader as a loader for disruptive malware, including Ryuk and Conti ransomware. The Proofpoint researchers strongly believe that there is an overlap between the distribution and post-exploitation activity of BazaLoader and threat actors behind The Trick malware, also known as TrickBot. Previously observed BazaLoader email threat campaigns have required significant human interaction to execute the malware. The previous campaigns included subscription pharmaceutical services, flower orders, and more. Using attack chains that require a lot of human interaction, threat actors can evade automated threat detection services that only flag malicious links or attachments in email. This article continues to discuss the use of a fake streaming service to distribute the BazaLoader malware dropper and previous findings surrounding BazaLoader.
TEISS reports "Hackers Using Fake Streaming Site to Distribute BazaLoader Malware Dropper"