The Conti ransomware gang uses BazarCall phishing attacks as an initial attack vector to gain access to targeted networks.
The BazarCall attack, aka call back phishing, is an attack vector that uses a targeted phishing methodology and was first used by the Ryuk ransomware gang in 2020/2021.
The BazarCall attack chain consists of the following steps:
- First stage. The attackers send an email to the victims informing them that they have subscribed to a service whose payment is automatic. The email includes a phone number to call to cancel the subscription.
- Second step. The victim is brought to contact a special call center. When operators receive a call, they use a variety of social engineering tactics to convince victims to give remote desktop controlto help them cancel their subscription service.
- Third step. Once gaining access to the victim’s desktop, the attacker silently gained a foothold in the user’s network, weaponizing legitimate tools known to be part of Conti’s arsenal. The initial operator stays online with the victim, claiming to help them access the remote desktop while continuing to use social engineering tactics.
- Fourth step. The initiated malware session gives the adversary access as the first point of entry into the victim’s network.
Researchers from cybersecurity firm AdbIntel claim that currently, at least three autonomous threat groups are independently adopting and developing their own targeted phishing tactics derived from the phishing callback methodology. The three groups are followed as Silent Ransom, Quantum and Roy/Zeon, they emerged after the Conti gang chose to close their operations in May 2022.
In March 2022, trained members of Conti, experts in call back phishing attacks, created “Silent Ransom” when it became a standalone group.
Former Silent Ransom bosses, tracked as Conti Team Two, who were Conti’s main subdivision, have been rebranded as Quantum and launched their own version of recall phishing campaigns. On June 13, 2022, AdvIntel researchers discovered a massive operation called “Jormungandr”.
The third iteration of the BazarCall group was observed at the end of June 20 and bears the name of Roy/Zeon. The group is made up of old guard members of Conti’s “Team One”, who created Operation Ryuk. This group possesses the advanced social engineering abilities of all three groups.
This involved large investments in hiring spammers, OSINT specialists, designers, call center operators and increasing the number of network intruders. As a highly trained (and most likely government-affiliated) group, Quantum was able to purchase proprietary email datasets and manually analyze them to identify affected employees at prominent companies.
The adoption of Callback phishing campaigns has impacted the strategy of ransomware gangs, experts have observed targeted attacks targeting the finance, technology, legal and insurance industries. Industries are considered prime targets in almost all internal manuals, which were shared among former Conti members.
“Since its resurgence in March earlier this year, call back phishing has completely revolutionized today’s threat landscape and forced its threat actors to reassess and update their attack methodologies in order to stay on top of the new ransomware food chain.” concludes the report published by Advintel. “While the first to start using this TTP as their primary initial attack vector, Silent Ransom is no longer the only threat group to use the highly specified phishing operations they launched. Other threat groups , seeing the tactic’s success, effectiveness, and targeting capabilities, began using the reverse phishing campaign as a base and developing their own attack vector.
Follow me on Twitter: @securityaffairs and Facebook
(Security cases – hacking, Conti)