Cybercriminals have created a fake streaming service (opens in new tab) with the end goal of tricking users into installing the BazaLoader trojan on their systems according to new research from Proofpoint (opens in new tab).
The cybersecurity firm first observed the entertainment-themed campaign in May of this year as it masqueraded as a real streaming service online with a slick website featuring fake movies.
The campaign itself is used to spread BazaLoader (opens in new tab) which has the capability to download and install additional modules on victim's systems. Multiple threat actors are currently using the loader to distribute ransomware (opens in new tab) including Ryuk and Conti.
- We've assembled a list of the best antivirus (opens in new tab) software available
- Keep your devices virus free with the best malware removal software (opens in new tab)
- Also check out our roundup of the best ransomware protection (opens in new tab)
According to Proofpoint's analysis (opens in new tab), the firm can say with high confidence that there is a strong overlap between the distribution and post-exploitation activity of BazaLoader and the cybercriminals behind the Trickbot (opens in new tab) malware.
The latest BazaLoader campaign begins with potential victims receiving an email telling them that their trial period is over and that they will be charged $39.99 per month unless they cancel their subscription to the fake streaming service BravoMovies.
These phishing emails (opens in new tab) contain a phone number that users can call if they wish to cancel their subscription. If a user calls this number, a customer service representative will then verbally guide them to BravoMovies' website. The cybercriminals behind this campaign have certainly done their homework as the site looks like a real streaming service complete with fake movies and posters, an FAQ, pricing details and even a free trial.
When a user visits the BravoMovies website, heads to the FAQ section and follows the directions to unsubscribe via the “Subscription” page, they will be asked to download an Excel spreadsheet. This document then asks them to “Enable Content” and malicious macros (opens in new tab) are used to download BazaLoader.
The reason this campaign has been successful so far is due to the fact that many viewers signed up for and then canceled multiple streaming services during the pandemic. Cybercriminals are well aware of these behaviors which is why they used them to their advantage when launching this new BazaLoader campaign.
To prevent falling victim to this and similar campaigns, users should only sign up for reputable streaming services after doing their research and remember that if something seems too good to be true, it probably is.
- We've also featured the best streaming services (opens in new tab)