In response to the BazaCall phishing email attack that began at the beginning of this year, Microsoft disclosed the detailed attack process and pointed out that the attacker may spread the ransomware Conti or Ryuk ON the victim computer network.
The Microsoft security intelligence team issued a warning on June 23 that it used telephone customer service to spread the malicious software BazaCall (also known as BazarCall) phishing email attack. The attacker’s target is suspected to be an Office 365 user, and ransomware will be implanted in the victim computer. . At that time, the detailed description of the attack was quite limited, only the general attack process was mentioned, and the attacker would artificially operate and implant ransomware, and use information such as Cobalt Strike in the process. Until July 29, Microsoft announced the new investigation results, disclosing the complete process of this type of attack, and how the decoy phishing email evades detection by the mail protection system, and after invading the victim’s computer, it will use a variety of legal methods. Tools attack the entire corporate network domain, and plant specific ransomware and other details on network devices. At the same time, Microsoft also provides advanced threat query commands for threat hunting in various attack stages of BazaCall.
Regarding BazaCall’s attack method, Microsoft said that the attacker will move quickly in the network environment of the victim environment, leak a large amount of information and steal account passwords, and then implant the ransomware Conti or Ryuk within 48 hours after a successful intrusion.
Figure 1 Typical BazaCall attack process: from spam to social engineering, to downloading payload and manual keyboard attack
After continuous investigation, Microsoft found that in the BazaCall attack process, hackers used social engineering and human manipulation, unlike the automated attack strategy adopted by general malware, and thus it was easier to escape the detection of the security protection system. Microsoft believes that this strategy of BazaCall is even more dangerous than the situation that has been made public, so it decided to disclose the relevant details.
In this attack method using the customer service phone, the attacker first sends a phishing email with the content of the email pretending to be the network or software service that the recipient has subscribed to. The trial expires, and then a high subscription fee will be charged, which makes the victim feel alive. Fear, follow the instructions in the email to call the “Customer Service Hotline” to cancel the relevant service. But in fact, this “customer service” arranged by the attacker will instruct the victim to download an Excel file with macros. Once the file is opened, the BazaLoader malicious program will be implanted on the victim computer and a C2 Relay station will be established. Connect to carry out follow-up attacks.
Microsoft once mentioned that such phishing emails lack identifiable elements, making it difficult for general email protection systems to detect abnormal conditions. BazaCall’s phishing emails do not contain attachments or URL links, and these are one of the basis for the email protection system to determine whether the content of the email may be harmful.
In order for the recipient to call the “customer service”, the attacker also created a fake atmosphere. For example, in each wave of phishing emails, the attacker uses a different service subscription name, such as a photo editing service or membership of a cooking exchange website, but the same is all about claiming that the service subscription is about to expire. Microsoft pointed out that the attacker suspected that in order to increase the willingness of the recipient to make a call, in the latest BazaCall attack, the content of the phishing email was changed to a receipt confirmation email for the purchase of software authorization.
Figure 2 A typical BazaCall email: claiming that the user’s photo editing service trial period is about to expire, will automatically charge a fee, and provide a false customer service number to help cancel the subscription.
The BazaCall attacker sent a notification email that the recipient had purchased the well-known decompression software WinRAR. The email claimed that the recipient had purchased 20 computer licenses, worth US$320, and had 2 weeks to do so. Call the “Customer Service Hotline” enclosed in the email to cancel the purchase. If the recipient dials this dedicated line, the “customer service staff” will instruct to download malicious Excel files for follow-up attacks.
Microsoft pointed out that in order to circumvent the mail protection system from filtering through the sender blacklist, each BazaCall email is sent by a different sender, and the email addresses of these senders may be stolen, or Is a free email address. In order to convince the recipient that the email comes from a real company mailbox, the sender will also falsely claim that it is from a company with a similar name to the real company. Even if the recipient confirms it through a web search, it may still be fooled. Because the attacker also set up a fake “official website”.
How similar are these phishing emails to real purchases of network services or software authorization notification emails? Microsoft said that most of the BazaCall emails will Display the user ID, making the recipient mistakenly believe that they are really their user. But in fact, this group of ID is not only used to deceive the recipient, but also the identification code of the attacker to track the victim.
Once the recipient called the “customer service” as instructed and downloaded the Excel form that was required to cancel the subscription, BazaCall’s customer service also played a guiding game. Microsoft found that some users will bypass the SmartScreen and other filtering mechanisms to download malicious documents that they have marked as problematic. This means that “customer service personnel” are likely to instruct them how to operate and threaten that if they do not do so, the credit card will be used. Deducted. In addition, the “customer service staff” will also require users to enable the macro function after opening the above-mentioned Excel document.
Once the Excel macro is triggered, it will use the Living Off-the-Land method to copy the certutil.exe in the Windows system and use this copy to download BazaLoader, which is a malicious dynamic link library (DLL), which is rundll32. exe loading. Then rundll32 injects the legitimate MsEdge.exe process to connect to the BazaLoader command and control (C2) and creates one by using Edge. lnk (shortcut) file to the payload in the Startup folder to establish persistence. The injected MsEdge.exe is also used for reconnaissance, collecting system and user information, domains on the network, and domain trusts.
In order to allow the attacker to manually control remotely and find information such as the domain administrator account, rundll32.exe will download the penetration testing tool Cobalt Strike at this time. Through direct access, the attacker conducts reconnaissance on the network and searches for the account information of local administrators and high-privileged domain administrators.
The attackers also used ADFind for further extensive reconnaissance, which is a free command-line tool designed for Active Directory discovery. Usually, the information collected from reconnaissance is saved in a text file and viewed by the attacker using the “Type” command in the command prompt.
Once the attacker has established a list of target devices on the network, he will use Cobalt Strike’s custom built-in PsExec function to move laterally to the target. Every device the attacker logs on will establish a connection with the Cobalt Strike C2 server. In addition, some devices perform additional reconnaissance by downloading open source tools designed to steal browser passwords. In some cases, attackers also use WMIC to move laterally to high-value targets, such as domain controllers.
Once an attacker finds a high-value target, they will use 7-Zip to package the data and use the renamed version of the open source tool RClone to leak these files to the attacker’s domain. On the domain controller device, the attacker used NTDSUtil.exe to create a copy of the NTDS.dit Active Directory database folder in %programdata% or %temp% for subsequent leaks. NTDSUtil is a legal tool commonly used to create and maintain Active Directory databases. NTDS.dit contains user information and password hashes for all users in the domain.
Figure 3 Activities after the intrusion of the target, including infiltration and ransomware
Microsoft found that data leakage is the main purpose of the BazaCall attack, but the attackers will also deploy ransomware on the network after the above activities are completed. The attacker used a compromised account with high authority, combined with the PsExec function of Cobalt Strike, to implant the Ryuk or Conti ransomware payload onto the network device.
Although many cybersecurity threats rely on automated manipulation tactics, such as using system vulnerabilities to launch malware, destroy legitimate websites for watering hole attacks, or develop advanced detection and evasion methods, attackers continue to find social engineering and human-computer interaction in attacks Aspect was successful. The BazaCall campaign replaced links and attachments in emails with phone numbers, which brought challenges to detection, especially through traditional anti-spam and anti-phishing solutions to check these malicious indicators.
The lack of typical malicious elements in BazaCall’s emails and the fact that its operators can attack at an extremely fast speed shows that the threats facing enterprises today are becoming more and more complex and more difficult to avoid.