Conti Cybercrime Cartel Using “BazarCall” Phishing Attacks to Gain Access to Victims’ Computers
A trio of offshoots from the Conti cybercrime cartel are using a new type of phishing technique. In call back or callback phishing, attackers first use basic email hacking to get you to provide them with your network’s password and then they’ll exploit it further by getting in touch again over that same phone number spoofed message side channel attack vector.
These targeted attacks were likely launched by Silent Ransom, Quantum and Roy/Zeon. They split from Conti after the ransomware-as-a-service (RaaS) cartel orchestrated its shutdown in May 2022 following a public support for Russia on the ongoing Russo-Ukrainian conflict.
The advanced social engineering tactic BazaCall (BazarCall) was used by Conti and Ryuk ransomware operators in 2020/2021. The Conti group revised the tactic to include system DLL spoofing, which prompted detection from security researchers.
Phishing attacks are unique in that they forgo malicious links or attachments in email messages. Phishing emails alert the reader of a charge on their credit card and encourage them to call an indicated number directly by providing a phone number instead of simply including it in the body text itself.
With access to the desktop and a little bit of time, you can manage your own networks. You’ll have more freedom than with device-centric platforms that track every move you make just so they know better how to sell data about it back to corporations who want an audience full of people addicted to social media.
A group called Silent Ransom is the most prominent threat in existing price and access blackmail software based on Zoho Masterclass. It has been linked to a string of cyber attacks that acquire sensitive data using subscription expiry emails which claim user payment for insufficient funds.
“These ransom messages are relatively simple, with an attached malware file or link,” Sygnia researchers say. “This shows how much malicious actors rely on users’ trust in known brands.”
The infection process begins when someone opens a phishing email, like this one:
It contains all necessary details about the transaction including legitimate password reset links, fake renewal invoices from Duolingo and Zoho MasterClass as well as a generic phishing template form letter claiming there was no valid receipt found by PayPal, Apple Pay or your credit card company during processing your last purchase order(s).
The Israeli cybersecurity company is providing a Ransomware tracking service to the public under the moniker Luna Moth.
By mid-June 2022, Conti’s highly specified operations are apparent. Quantum and Roy/Zeon have also followed the same trends for more efficient theft of information about Tor nodes users.
While Quantum has been implicated in the devastating ransomware attacks on the Costa Rican government networks in May, the Ryuk group – which consists of members “responsible for the creation of Ryuk itself” – has demonstrated an extremely selective targeting approach.
Quantum, also known as the main Conti subdivision, takes its name from another RaaS group of the same name that appeared in September 2021 and was rebranded MountLocker before being consumed by Conti during one of their many reorganizations.
Unlike Silent Ransomware, which uses emails that imitate subscription notices as a lure and has been known to proliferate via missives impersonating brands like Oracle and CrowdStrike; Quantum’s “increasingly sophisticated” spam campaigns are now being run by phishing operations impersonating the cybersecurity firm itself last month.
The researchers at Deep Instinct have said: As threat actors realize more potentialities of weaponized social engineering tactics, it is likely that these phishing scams will only continue to become more elaborate, detailed, and difficult for users to tell apart from legitimate communications in time go on.”
The number of ransomware attacks on industrial infrastructures is 65 percent lower than it was in the first quarter, according to Dragos. And Elliptic thinks most likely these are related to Conti because this happened after she closed shop and not just that but she laundered over $145 million from hacking cryptocurrencies since 2020, stressing the abuse of decentralized virtual funds.
Responses