A new tricky malware distribution campaign is going on right now using a fake movie streaming service called ‘BravoMovies’ as bait to convince victims to download BazarLoader. According to the report by Proofpoint researchers, who identified the campaign and collected all the evidence, the actors launched their malicious operation in early May, so it has been a month already. Contrary to the typical approach, this campaign requires quite an extensive victim interaction, but with the help of ‘BravoMovies,’ this aspect is covered adequately.
The infection starts with an email message that claims a trial period expiration and an automatic transfer to a premium plan in ‘BravoMovies.’ This comes with a charge of $39.99 per month - unless you have an objection of course. If you do, you are given a phone number to call, answered by a crook who pretends to be a support agent.
The victim is then directed to the ‘BravoMovies’ website, which hosts a document that is allegedly containing the instructions on how to cancel the subscription. This document contains BazarLoader, a dangerous malware that has been circulating the web since April 2020.
The document downloaded from the website is an Excel file containing malicious macros, so the victim is asked to “enable editing” and “enable content” to preview it. Hoping that they’ll cancel their subscription and avoid being charged, some victims follow this instruction and allow the code to run on their computer.
BazarLoader provides backdoor access for the actors, so it serves as a portal to drop more payloads, scan the environment, and possibly exploit vulnerabilities on other devices connected to the same network.
Palo Alto’s Unit 42 team has noticed and reported a similar campaign using the particular malware this month, and they named it “BazarCall” because it involved fake support agents directing victims to malicious websites that delivered macro-ridden spreadsheets. In that report, the email messages that initiated the infection chain claimed to come from a book service, warning about the premium trial coming to an end.
In BazaFlix, the three websites used are “bravomovies[.]net”, “bvcinema[.]net”, and “urbancinema[.]net”. All of them appear to be down when writing this, but judging from the above, we expect to see the actors jumping to other domains or different themes altogether. That said, if you receive an email making auto-charge claims, do not jump straight into action. Look at the signs of fraud, evaluate the claims with a clear mind and act with composure.