Hackers using fake streaming site to distribute BazaLoader dropper

Opt-in to Cyber Safety. Multiple layers of protection for your devices, online privacy and more.

Security researchers at Proofpoint have uncovered a new phishing campaign that involves hackers luring unsuspecting Internet users into downloading the BazaLoader malware dropper by making they believe they erroneously subscribed to a movie streaming service.

The phishing campaign, first discovered in early May by Proofpoint, involved hackers setting up a fake movie-streaming website called BravoMovies and populating the site with fake movie posters and additional content to make it appear genuine to unsuspecting visitors.

The hackers then proceeded to send carefully-crafted emails to hundreds of recipients, informing them that they had subscribed to BravoMovies, that they were on a 30-day free trial, and will be charged $39.99 a month after the end of the trial period. The recipients were, however, given the option to unsubscribe by calling a customer service number. The emails themselves did not contain any malicious attachments.

Once a curious recipient of the email calls the customer service number, they are directed by the fraudsters to navigate to the Frequently Asked Questions component of the website, and follow the instructions to unsubscribe via the “Subscribtion” page, and download an Excel sheet to complete the process. According to Proofpoint, the Excel sheet contains macros that, if enabled, will download BazaLoader, a downloader written in C++ that is used to download and execute additional modules.

“BazaLoader is a downloader written in C++ that is used to download and execute additional modules. Proofpoint first observed BazaLoader in April 2020. It is currently used by multiple threat actors and frequently serves as a loader for disruptive malware including Ryuk and Conti ransomware. Proofpoint assesses with high confidence there is a strong overlap between the distribution and post-exploitation activity of BazaLoader and threat actors behind The Trick malware, also known as Trickbot,” the security firm said in a blog post.

“Proofpoint has observed BazarLoader threat actors using the method of phone-based customer service representatives to direct malicious downloads since February 2021. Security researchers have dubbed this method…