The article documents BazarCall’s evolution from email bait to phone-based social engineering that prompts victims to download malware, including BazaarLoader and other families such as Trickbot, Gozi IFSB, and IcedID. It outlines a three-phase attack (bait, attack, kill), infection hotspots (US/Canada, with India and China targeted), and Trellix’s defense rules. #BazaarCall #BazaarLoader #Trickbot #GoziIFSB #IcedID #REvil
Keypoints
- The BazarCall campaigns replace malicious links with phone-based social engineering, connecting victims to human operators who guide malware installation.
- BazaarLoader often served as the entry point, historically enabling ransomware deployment (e.g., Conti in a 32-hour flow); later campaigns circulated Trickbot, Gozi IFSB, IcedID, and others.
- The attack flow is categorized into three phases: Phase 1 – The bait; Phase 2 – The attack with varying conversation scripts; Phase 3 – The kill with malware execution and remote access.
- Phase 1 typically uses fake notification emails impersonating brands like Geek Squad, Norton, McAfee, PayPal, and Microsoft to lure targets.
- Phase 3 describes how the malware (often named “support.Client.exe”) is executed, drops additional files (including ScreenConnect components), and provides remote access for fraud or further malware deployment.
- The campaigns have been most active in the United States and Canada, with notable targeting of India and China.
- Trellix provides detection coverage and rules (EL_FRML_UNDIS_ORDER, EL_GEEK_SQUAD_SCAM, EL_VISHING_RCVD_FREEMAIL, EL_GEN_SCAM_HUNT, EL_VISHING_RCVD_ZERODAY) to block BazarCall at various levels.
MITRE Techniques
- [T1106] Native API – Adversaries may interact with the native OS application programming interface (API) to execute behaviors. ‘Adversaries may interact with the native OS application programming interface (API) to execute behaviors.’
- [T1027.002] Software Packing – Adversaries may perform software packing or virtual machine software protection to conceal their code. ‘Software Packing’
- [T1553.002] Code Signing – Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. ‘Code Signing’
- [T1112] Modify Registry – Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution. ‘Modify Registry’
- [T1056.004] Credential API Hooking – Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. ‘Credential API Hooking’
- [T1012] Query Registry – Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software. ‘Query Registry’
- [T1082] System Information Discovery – An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. ‘System Information Discovery’
- [T1573] Encrypted Channel – Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. ‘Encrypted Channel’
- [T1113] Screen Capture – Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. ‘Screen Capture’
- [T1563] Remote Service Session Hijacking – Adversaries may take control of preexisting sessions with remote services to move laterally in an environment. ‘Remote Service Session Hijacking’
Indicators of Compromise
- [Domain] healthcenter[.]cc – used to host malicious sites and related content in the BazarCall workflow (e.g., fake cancellation sites and download domains).
- [File Name] support.Client.exe – a common malware loader file used in the campaign (typical of the phase that downloads payloads).
- [SHA-256] ead2b47848758a91466c91bed2378de1253d35db3505b5f725c289468d24645b – sample hash observed in infection flows.
- [SHA-1] bc664ec8dff62f5793af24f6ca013e29498062f2 – sample hash observed in infection flows.
- [MD5] 1e88b21d4c7d51f312337b477167ed25 – sample hash observed in infection flows.