Ransomware Gangs Adopt Callback Phishing Techniques for Gaining Initial Network Access
Multiple ransomware groups have adopted the BazarCall callback phishing technique to gain initial access to victims’ networks, including threat actors that have targeted the healthcare sector.
BazarCall is a type of callback phishing, where organizations are targeted and sent ‘phishing’ emails that request a call to a telephone number to resolve an important issue. As with standard phishing campaigns, there is urgency – If no action is taken, there will be bad consequences. The telephone number provided is manned by the threat actor, who is well versed in social engineering techniques and will attempt to trick the caller into taking actions that will give the threat actor access to the victims’ network. That action could be to visit a malicious website or download a malicious file. According to cybersecurity firm Agari, phishing attacks have increased by 6% since Q1, 2021; however, hybrid phishing attacks, including callback phishing, increased 625% over the same period.
In the BazarCall campaign, the targeted individual is told in the email that a subscription or free trial is coming to an end and it will auto-renew at a cost. In order to cancel the subscription, the user must call the number provided. If the call is made, the threat actor will attempt to get the user to initiate a Zoho Remote Desktop Control session, which it is claimed is necessary to cancel the subscription. Zoho is legitimate business software; however, in this case, it is used for malicious purposes. While the user converses with the threat actor that answers the call, a second member of the team will use the remote access session to silently weaponize legitimate tools that can be used for an extensive compromise of the victim’s network.
BazarCall was first utilized by the Ryuk ransomware operation in 2020/2021. Ryuk was disbanded and reformed as Conti, and both were prolific ransomware-as-a-service operations. The campaigns were identified by security researchers at AdvIntel, who have tied the campaigns to three cybercriminal groups that broke away from the Conti ransomware operation before it shut down.
According to AdvIntel, BazarCall started to be used by the Conti ransomware gang in March 2022, and in April, a new ransomware group – Silent Ransom – broke away from the Conti operation and adopted the BazarCall technique for initial access. The technique was refined and a second threat group – Quantum – broke away from Conti and started using its own version of BazarCall. In June, a third group – Roy/Zeon – broke away from Conti and started using its own version of BazarCall.
Each threat group impersonates different companies in the initial emails, such as Duolingo, MasterClass, Oracle, HelloFresh, CrowdStrike, RemotePC, Standard Notes, and many more. The lures used vary but generally relate to an upcoming payment due to the end of a subscription or trial period, with the brands impersonated related to the industry being targeted.
AdvIntel says that while the Silent Ransom group was the first threat group to resurrect the BazarCall phishing tactic, seeing the success, efficiency, and targeting capabilities of the tactic, other threat groups have begun using the reversed phishing campaign as a base and developing the attack vector into their own. “This trend is likely to continue: As threat actors have realized the potentialities of weaponized social engineering tactics, it is likely that these phishing operations will only continue to become more elaborate, detailed, and difficult to parse from legitimate communications as time goes on,” warn the researchers.
Defending against callback phishing emails can be difficult to the lack of malicious content in the initial phishing emails, which means they are unlikely to be flagged as malicious by email security solutions. The best defense to prevent the attacks is to ensure that callback phishing is covered in security awareness training and to include examples of callback phishing in internal phishing simulations.