Table of Contents
Earlier this month, Proofpoint identified a phishing attempt that involved hackers setting up a fake movie-streaming site named BravoMovies and stockings it with fake movie posters and other materials in order to have unwary visitors believe it was the real deal.
Although it looks good and has fun-sounding titles, it offers nothing besides BazaLoader malware for download.
Malware loaders, such as BazLoader, are used to spread ransomware and other types of malware and steal sensitive data from infected machines. Susceptible users are targeted who are not aware of the threat.
The Security Firm Said About Malwares
“BazaLoader is a downloader written in C++ that is used to download and execute additional modules. Proofpoint first observed BazaLoader in April 2020.
It is currently used by multiple threat actors and frequently serves as a loader for disruptive malware, including Ryuk and Conti ransomware.
Proofpoint assesses with high confidence there is a strong overlap between the distribution and post-exploitation activity of BazaLoader and threat actors behind The Trick malware, also known as Trickbot.”
BravoMovies uses a similar infection chain to that used by BazaLoader affiliates, which entice themselves to participate in a series of activities to activate their malwares payloads.
Emails are sent informing recipients that their credit cards will be debited until they cancel their subscriptions, which they were never aware they had signed up for.
A phone number is provided in the email that leads to a call center with live people at the other end who will direct the consumer to a website where they may cancel the fictitious movie-streaming subscription.
On the other hand, if they’re fooled, they are told to download a boobytrapped Excel spreadsheet that triggers macros that will download BazaLoader.
Don’t Fall For the Trick!
Customers who call into the BravoMovies call center are directed to the BravoMovies website, where they can find the Frequently Asked Questions, then click on the “Unsubscribe” tab. Afterward, they will receive a link to download an Excel spreadsheet.
A macro in the Excel sheet will initiate the download if BazaLoader is enabled. Experts at Proofpoint have yet to discover the second-stage payload in this campaign.
Researchers at Proofpoint first learned of BazaLoader’s use in February 2021, when a bogus flower and lingerie store used the malwares to lure visitors.
It was specially used on valentine’s day to trick youngsters into following the link. Another instance was spotted in a campaign for a pharmaceutical subscription service.