Protect your organization against ransomware: aka.ms\/ransomware<\/a><\/em><\/p>\n Learn how attackers operate: Human-operated ransomware attacks: A preventable disaster<\/a><\/em><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n BazaCall campaigns forgo malicious links or attachments in email messages in favor of phone numbers that recipients are misled into calling. It\u2019s a technique reminiscent of vishing and tech support scams where potential victims are being cold-called by the attacker, except in BazaCall\u2019s case, targeted users must<\/em> dial the number. And when they do, the users are connected with actual<\/em> humans on the other end of the line, who then provide step-by-step instructions for installing malware into their devices. Thus, BazaCall campaigns require direct phone communication with a human and social engineering tactics to succeed. Moreover, the lack of obvious malicious elements in the delivery methods could render typical ways of detecting spam and phishing emails ineffective.<\/p>\n Figure 1. The flow of a typical BazaCall attack, from the spam email to social engineering to the payload being downloaded and hands-on-keyboard attacks<\/em><\/p>\n The use of another human element in BazaCall\u2019s attack chain through the abovementioned hands-on-keyboard control further makes this threat more dangerous and more evasive than traditional, automated malware attacks. BazaCall campaigns highlight the importance of cross-domain optics and the ability to correlate events in building a comprehensive defense against complex threats.<\/p>\n Microsoft 365 Defender<\/a> orchestrates protection across domains to deliver coordinated defense. In the case of BazaCall, Microsoft Defender for Endpoint<\/a> detects malware and attacker behavior resulting from the campaign, and these signals inform Microsoft Defender for Office 365<\/a> protections against related emails, even if these emails don\u2019t have the typical malicious artifacts. Microsoft threat analysts who constantly monitor BazaCall campaigns enrich the intelligence on this threat and enhance our ability to protect customers.<\/p>\n In this blog post, we discuss how a recent BazaCall campaign attempts to compromise systems and networks through the mentioned human elements and how Microsoft defends against it.<\/p>\n BazaCall campaigns begin with an email that uses various social engineering lures to trick target recipients into calling a phone number. For example, the email informs users about a supposed expiring trial subscription and that their credit card will soon be automatically charged for the subscription\u2019s premium version. Each wave of emails in the campaign uses a different \u201ctheme\u201d of subscription that is supposed to be expiring, such as a photo editing service or a cooking and recipes website membership. In a more recent campaign, the email does away with the subscription trial angle and instead poses as a confirmation receipt for a purchased software license.<\/p>\n Unlike typical spam and phishing emails, BazaCall\u2019s do not have a link or attachment in its message body that users must click or open. Instead, it instructs users to call a phone number in case they have questions or concerns. This lack of typical malicious elements\u2014links or attachments\u2014adds a level of difficulty in detecting and hunting for these emails. In addition, the messaging of the email\u2019s content might also add an air of legitimacy if the user has been narrowly trained to avoid typical phishing and malware emails but not taught to be wary of social engineering techniques.<\/p>\n Figure 2. A typical BazaCall email, claiming that the user’s trial for a photo editing service will soon expire, and that they will be automatically charged. A fake customer service number is provided to help cancel the subscription.<\/em><\/p>\n Each BazaCall email is sent from a different sender, typically using free email services and likely-compromised email addresses. The lures within the email use fake business names that are similar to the names of real businesses. A recipient who then searches the business name online to check the email\u2019s legitimacy may be led to believe that such a company exists and that the message they received has merit.<\/p>\n Some sample subject lines are listed below. They each have a unique \u201caccount number\u201d created by the attackers to identify the recipients:<\/p>\n While the subject lines in most of the observed campaigns contain similar keywords and occasional emojis, each one is unique because it includes an alphanumeric sequence specific to the recipient. This sequence is always presented as a user ID or transaction code, but it actually serves as a way for the attacker to identify the recipient and track the latter\u2019s responses to the campaign. The unique ID numbers largely follow the same pattern, which the regular expression [A-Z]{1,3}(?:\\d{9,15}) <\/em>can surface, <\/em>for example, L0123456789 <\/em>and KT01234567891.<\/em><\/p>\n In one recent BazaCall campaign, the unique ID was present in the body of the email, but not in the subject line:<\/p>\n Figure 3. A recent BazaCall email with the unique ID present only in the message body.<\/em><\/p>\n If a target recipient does decide to call the phone number indicated in the email, they will speak with a real person from a fraudulent call center set up by BazaCall\u2019s operators. The call center agent serves as a conduit to the next phase of the attack: during their conversation, an agent tells the caller they can help cancel the supposed subscription or transaction. To do so, the agent asks the caller to visit a website.<\/p>\n These websites are designed to look like legitimate businesses, some of which even impersonate actual companies. However, we have noted that some domain names do not always match the name of the fictitious business included in the email. For example, an email claiming that a user\u2019s free trial for \u201cPre Pear Cooking\u201d was set to expire was paired with the domain, \u201ctopcooks[.]us\u201d.<\/p>\n Figure 4. A sample website used in the BazaCall campaign. It mimics a real recipe website but is attacker-controlled.<\/em><\/p>\n The call center agent then instructs the user to navigate to the account page and download a file to cancel their subscription. The file is a macro-enabled Excel document, with names such as \u201ccancel_sub_[unique ID number].xlsb.\u201d Note that in some instances, we observed that even if security filters such as Microsoft Defender SmartScreen<\/a> are enabled, users intentionally bypass it to download the file, which indicates that the call center agent is likely instructing the user to circumvent security protocols, with the threat that their credit cards will be charged if they don\u2019t. Again, this demonstrates the effectiveness of social engineering tactics used in BazaCall attacks.<\/p>\n The downloaded Excel file displays a fake notification that it is protected by Microsoft Office. The call center agent then instructs the user to click on the button that enables editing and content (macros) to view the spreadsheet\u2019s contents. If the user enables the macro, BazaLoader malware is delivered to the device.<\/p>\n Figure 5. An Excel document used by the attackers, prompting the user to enable malicious code.<\/em><\/p>\n The enabled macro on the Excel document creates a new folder named with a random string of characters in the %programdata%<\/em> folder. It then copies certutil.exe<\/em><\/a>, a known living-off-the-land binary (LOLBin), from the System<\/em> folder and places the copy of certutil.exe<\/em> into the newly created folder as a means of defense evasion. Finally, the copy of certutil.exe<\/em> is renamed to match the random string of characters in the folder name.<\/p>\n The macro then uses the newly renamed copy of certutil.exe<\/em> to connect to the attacker infrastructure and download BazaLoader. This downloaded payload is a malicious dynamic link library (.dll<\/em>) and is loaded by rundll32.exe<\/em>. Rundll32<\/em> then injects a legitimate MsEdge.exe<\/em> process to connect to a BazaLoader command-and-control (C2) and establish persistence by using Edge to create a .lnk<\/em> (shortcut) file to the payload in the Startup<\/em> folder. The injected MsEdge.exe<\/em> is also used for reconnaissance, collecting system and user information, domains on the networks, and domain trusts.<\/p>\n The rundll32.exe<\/em> process retrieves a Cobalt Strike beacon that enables the attacker to have hands-on-keyboard control of the device. Now with direct access, the attacker performs reconnaissance on the network and searches for local administrators and high-privilege domain administrator account information.<\/p>\n The attacker also conducts further extensive reconnaissance using ADFind<\/a>, a free command-line tool designed for Active Directory discovery. Often, information gathered from this reconnaissance is saved to a text file and viewed by the attacker using the \u201cType\u201d<\/em> command in the command prompt.<\/p>\n Once the attacker has established a list of target devices on the network, they use Cobalt Strike\u2019s custom, built-in PsExec<\/a> functionality to move laterally to the targets. Each device the attacker lands on establishes a connection to the Cobalt Strike C2 server. Additionally, certain devices are used for additional reconnaissance by downloading open-source tools designed to steal browser passwords. In some instances, the attackers also used WMIC<\/a> to move laterally to high-value targets, such as Domain Controllers.<\/p>\n When the attacker lands on a selected high-value target, they use 7-Zip to archive intellectual property for exfiltration. The archived files are named after the type of data they contain, such as IT information, or information about security operations, finance and budgeting, and details specific to each target\u2019s industry. The attacker then uses a renamed version of the open-source tool, RClone,<\/em> to exfiltrate these archives to an attacker-controlled domain.<\/p>\n Figure 6 Post-compromise activity on the target, including exfiltration and ransomware.<\/em><\/p>\n Finally, on domain controller devices, the attacker uses NTDSUtil.exe<\/em>\u2014a legitimate tool typically used to create and maintain the Active Directory database\u2014to create a copy of the NTDS.dit<\/em> Active Directory database, in either the %programdata%<\/em> or %temp%<\/em> folders, for subsequent exfiltration. NTDS.dit contains user information and password hashes for all users in the domain.<\/p>\n In some instances, data exfiltration appeared to be the primary objective of the attack, which would typically be in preparation for future activity. However, in other instances, the attacker deploys ransomware after conducting the previously described activity. In those cases where ransomware was dropped, the attacker used high-privilege compromised accounts in conjunction with Cobalt Strike\u2019s PsExec functionality to drop a Ryuk or Conti ransomware payload onto network devices.<\/p>\n While many cybersecurity threats rely on automated, drive-by tactics (for example, exploiting system vulnerabilities to drop malware or compromising legitimate websites for a watering hole attack) or develop advanced detection evasion methods, attackers continue to find success in social engineering and human interaction in attacks. The BazaCall campaign replaces links and attachments with phone numbers in the emails it sends out, posing challenges in detection, especially by traditional antispam and anti-phishing solutions that check for those malicious indicators.<\/p>\n The lack of typical malicious elements in BazaCall\u2019s emails and the speed with which their operators can conduct an attack exemplify the increasingly complex and evasive threats that organizations face today. Microsoft 365 Defender<\/a> provides the cross-domain visibility and coordinated defense to protect customers against such threats. The ability to correlate events across endpoints and emails is crucial in the case of BazaCall, given its distinct characteristics. Microsoft Defender for Endpoint<\/a> detects implants such as BazaLoader and Cobalt Strike, payloads such as Conti and Ryuk, and subsequent attacker behavior. These endpoint signals are correlated with email threat data, informing Microsoft Defender for Office 365<\/a> to block the BazaCall emails, even if these emails don\u2019t have the typical malicious artifacts.<\/p>\n Microsoft 365 Defender further enables organizations to defend against this threat through rich investigations tools like advanced hunting, allowing security teams to locate related or similar activities and seamlessly resolve them.<\/p>\n <\/p>\n Justin Carroll <\/em><\/strong>and <\/em>Emily Hacker<\/em><\/strong><\/p>\n Microsoft 365 Defender Threat Intelligence Team<\/em><\/p>\n <\/p>\n The following Advanced Hunting Queries are accurate as of the time of publish of this blog. For the most up-to-date queries, please visit aka.ms\/BazaCall<\/a>.<\/p>\n To locate possible exploitation activity, run the following queries in the Microsoft 365 Defender portal<\/u>.<\/p>\n BazaCall emails<\/strong><\/p>\n To look for malicious emails matching the patterns of the BazaCall campaign, run this query<\/a>.<\/p>\n BazaCall Excel file delivery<\/strong><\/p>\n To look for signs of web file delivery behavior matching the patterns of the BazaCall campaign, run this query<\/a>.<\/p>\n BazaCall Excel file execution<\/strong><\/p>\n To surface the execution of malicious Excel files associated with BazaCall, run this query<\/a>.<\/p>\n BazaCall Excel file download domain pattern<\/strong><\/p>\n To look for malicious Excel files downloaded from .XYZ<\/em> domains, run this query<\/a>.<\/p>\n BazaCall dropping payload via certutil<\/strong><\/p>\n To look for the copy of certutil.exe<\/em> that was used to download the BazaLoader payload, run this query<\/a>.<\/p>\n NTDS theft<\/strong><\/p>\n To look for theft of Active Directory in paths used by this threat, run this query<\/a>.<\/p>\n Renamed Rclone data exfiltration<\/strong><\/p>\n To look for data exfiltration using renamed Rclone, run this query<\/a>.<\/p>\n RunDLL Suspicious Network Connections<\/strong><\/p>\n To look for RunDLL making suspicious network connections, run this query<\/a>.<\/p>\n![\"Diagram](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/07\/Figure1-BazaCall-attack-chain-f.png\")
<\/p>\nOut with the links and attachments, in with the customer service phone numbers<\/h2>\n
![\"Screenshot](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/07\/Figure2-sample-email-1.png\")
<\/p>\n\n
![\"Screenshot](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/07\/Figure3-sample-BazaCall-email-2.png\")
<\/p>\n![\"Screenshot](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/07\/Figure4-BazaCall-sample-website.png\")
<\/p>\n![\"Screenshot](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/07\/Figure5-BazaCall-Excel-file.png\")
<\/p>\nHands-on-keyboard control for selective data exfiltration<\/h2>\n
![\"Diagram](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/07\/Figure6-BazaCall-post-compromise-f.png\")
<\/p>\nDetecting BazaCall through cross-domain visibility and threat intelligence<\/h2>\n
Advanced hunting queries<\/h2>\n
EmailEvents
\n| where Subject matches regex @\"[A-Z]{1,3}\\d{9,15}\"
\nand Subject has_any('trial', 'free', 'demo', 'membership', 'premium', 'gold',
\n'notification', 'notice', 'claim', 'order', 'license', 'licenses')<\/code><\/p>\nDeviceFileEvents
\n| where FileOriginUrl has \"\/cancel.php\" and FileOriginReferrerUrl has \"\/account\"
\nor FileOriginUrl has \"\/download.php\" and FileOriginReferrerUrl has \"\/case\"<\/code><\/p>\nDeviceProcessEvents
\n| where InitiatingProcessFileName =~ \"excel.exe\"
\nand ProcessCommandLine has_all('mkdir', '&& copy', 'certutil.exe')<\/code><\/p>\nDeviceNetworkEvents
\n| where RemoteUrl matches regex @\".{14}\\.xyz\/config\\.php\"<\/code><\/p>\nDeviceFileEvents
\n| where InitiatingProcessFileName !~ \"certutil.exe\"
\n| where InitiatingProcessFileName !~ \"cmd.exe\"
\n| where InitiatingProcessCommandLine has_all(\"-urlcache\", \"split\", \"http\")<\/code><\/p>\nDeviceProcessEvents
\n| where FileName =~ \"ntdsutil.exe\"
\n| where ProcessCommandLine has_any(\"full\", \"fu\")
\n| where ProcessCommandLine has_any (\"temp\", \"perflogs\", \"programdata\")
\n\/\/ Exclusion
\n| where ProcessCommandLine !contains @\"Backup\"<\/code><\/p>\nDeviceProcessEvents
\n| where ProcessVersionInfoProductName has \"rclone\" and not(FileName has \"rclone\")<\/code><\/p>\n