Microsoft Warns That Hackers Using Call Centers to Trick Users Into Downloading Ransomware

The BazarCall group is trying to fool users into thinking they will be billed for a subscription unless they download an infected file.

We may earn a commission from links on this page.
The Microsoft logo at the International Cybersecurity Forum in January 2020 in Lille, France.
The Microsoft logo at the International Cybersecurity Forum in January 2020 in Lille, France.
Photo: Denis Charlet/AFP (Getty Images)

Microsoft is warning that a cybercrime group named BazarCall is using call centers to trick users into installing powerful malware, ZDNet reported on Wednesday.

The malware in question, known as BazarLoader, has been used to distribute ransomware, which encrypts a targeted computer or network’s file system and typically delivers a ransom demand to be paid in cryptocurrency to salvage it. According to Palo Alto Networks threat intelligence analyst Brad Duncan, BazarLoader “provides backdoor access to an infected Windows host” and infections usually “follow a distinct pattern of activity.” Since February 2021, Duncan wrote, security researchers have noticed an unusual pattern of call center activity in BazarLoader infections.

Duncan wrote that the first step in the chain is a phishing email informing the target that a trial subscription to some service has ended and will soon be billed, listing a phone number for customer support. When contacted, a call center operator directs the target to download an infected Excel spreadsheet, enable macros on it, and then informs them they have successfully unsubscribed from the service. Unbeknownst to the target, BazarLoader is now in control of their machine and can download whatever malware whoever is behind the hack wants.


Additionally, Duncan wrote that the call center operation appears to involve a number of different individuals following a basic script, indicating it is complicated and involves a high degree of organization:

A video has been posted on YouTube documenting someone posing as a victim and having a center operator guide them through the fake unsubscription process. We contacted this call center on at least five different occasions, and the operator was a different person each time. All operators were seemingly non-native English speakers. Two of the operators were female, and three were male. Each operator followed the same basic script, but there were variations.


Microsoft Security Intelligence (referring to the group as BazaCall) tweeted on Tuesday evening that it is “tracking an active BazaCall malware campaign leading to human-operated attacks and ransomware deployment” that was targeting users of its Office 365 business software. It has set up and is actively updating a Github page for security professionals with information and files on the BazarCall effort

“In this campaign, Microsoft observed adversary activity using Cobalt Strike, where attackers stole credentials, including the Active Directory database, and exfiltrated data using rclone,” the company added. “The lack of malicious elements in the emails can be a challenge for detection. Microsoft 365 Defender’s cross-domain visibility allows endpoint signals to inform Microsoft Defender for Office 365 protections against the emails, ensuring comprehensive defense against this attack.”