Malicious Email Campaign to Trick Targets into Downloading Malware

powersolution.com, through our relationship with Infragard and The New Jersey Cybersecurity & Communications Integration Cell (NJCCIC) have been alerted to a new email threat dubbed ‘BazarCall.’ Threat actors are using a combination of customer service call centers and phishing emails in order to spread various forms of malware. Similar to other email-based scams powersolution.com has recently reported, the phishing email in this campaign states that the recipient’s free trial of a known service, such as DocuSign, is about to expire and urges them to contact the included phone number to avoid subscription charges.

Docusign Malware Screenshot
Image Source: Bleeping Computer

This technique is used in order to appear legitimate and bypass email security solutions as there are no malicious links or attachments included in the base email. If the recipient calls the included phone number, they are asked to provide a unique customer ID number that is included in the email. After confirming the customer ID, the recipient is asked to navigate to the company’s webpage, download an Excel document, and enable the macro, infecting their device with malware. The campaign has been observed distributing various malware variants, including TrickBot and IcedID, which are often used to further install ransomware.

powersolution.com recommends users and organizations educate themselves and others on these continuing threats and tactics to reduce victimization. We remind users to exercise caution with unsolicited emails. Additionally, be aware of unusual requests when contacting a customer service call center – legitimate businesses do not typically request users to download Excel documents or disable antivirus. If a request is suspicious, do not comply with the request and cease communication.

Red Flags of a Malicious Email

    • The sender address is different than what appears in the “From” field. (Tip: hover over the email sender name to determine if the address used to send the email is different than who the user claims to be)
    • The email contains poor spelling or grammar.
    • The request conveys a sense of urgency.
    • The appearance of it being sent via a mobile device.
    • The request references goods or services you are unfamiliar with.
    • The sender identifies themselves in a non-typical way, such as using full names or their first name when they go by their middle name.
    • The email is coming from an external source but the sender claims to be someone within your organization.
    • Unusual requests, such as a request from the CEO to have all employee W-2’s be sent to them via email or an invoice from a vendor for an abnormally large amount.

Always verify the source and instructions of any monetary transaction or other unusual requests received via email through a separate means of communication, such as a phone call. Replies to the email could be sent to the threat actor and is not an effective verification method.