Have you received a call claiming that your free trial subscription is over? Are they advising you to call a number to cancel it before you get charged with monthly fees? If so, DON’T DO IT! It’s all a scam attempting to get you to download a malware called BazarLoader which is used to distribute ransomware.

These malicious actors have been active since January and they usually start by sending phishing emails advising the victim that a trial subscription has expired and that they need to call a number to cancel before they get charged. Then once the victim falls for it and the malware has been downloaded, the criminals are able to access the infected Windows device through the back door and will proceed to send follow-up malwares, scan the environment and exploit other vulnerabilities on the network.

This group caught Microsoft’s attention as they are mostly targeting Office 365 users. See below for Microsoft’s response on the attack

“When recipients call the number, a fraudulent call center operated by the attackers instructs them to visit a website and download an Excel file in order to cancel the service. The Excel file contains a malicious macro that downloads the payload” Microsoft Security Intelligence explains.

The Microsoft security team also noticed that the group is using the Cobalt Strike penetration testing kit to steal credentials. Cobalt Strike is mostly used as a lateral movement on a network after initial compromise. Due to this discovery, Microsoft has created a GitHub page for publicly sharing details about this cyberattack as well as other malwares techniques.