# BazarCall Method: Call Centers Help Spread BazarLoader Malware

**unit42.paloaltonetworks.com/bazarloader-malware/**

Brad Duncan May 19, 2021

By [Brad Duncan](https://unit42.paloaltonetworks.com/author/bduncan/)

May 19, 2021 at 4:00 PM

[Category: Malware,](https://unit42.paloaltonetworks.com/category/malware-2/) [Unit 42](https://unit42.paloaltonetworks.com/category/unit-42/)

Tags: [BazaCall,](https://unit42.paloaltonetworks.com/tag/bazacall/) [BazaLoader,](https://unit42.paloaltonetworks.com/tag/bazaloader/) [Bazar,](https://unit42.paloaltonetworks.com/tag/bazar/) [BazarCall,](https://unit42.paloaltonetworks.com/tag/bazarcall/) [BazarLoader](https://unit42.paloaltonetworks.com/tag/bazarloader/)

This post is also available in: 日本語 [(Japanese)](https://unit42.paloaltonetworks.jp/bazarloader-malware/)

## Executive Summary

[BazarLoader (sometimes referred to as BazaLoader) is malware that provides backdoor access to](https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor)
an infected Windows host. After a client is infected, criminals use this backdoor access to send
follow-up malware, scan the environment and exploit other vulnerable hosts on the network.

The threat actor behind BazarLoader uses different methods to distribute this malware to potential
[victims. In early February 2021, researchers began reporting a call center-based method of](https://twitter.com/ffforward/status/1356571665648537601)
distributing BazarLoader. This method utilizes emails with a trial subscription-based theme that
encourages potential victims to call a phone number. A call center operator then answers and
directs victims to a website to unsubscribe from the service. Call center operators offer to personally
guide victims through a process designed to infect vulnerable computers with BazarLoader. An
[example of the process can be found in this YouTube video.](https://www.youtube.com/watch?v=uAkeXCYcl4Y)


-----

This call center-based process of infecting computers with BazarLoader has been dubbed the
"BazarCall" method (sometimes referred to as "BazaCall" method).

[Palo Alto Networks Next-Generation Firewall customers are protected from this threat with a](https://www.paloaltonetworks.com/network-security/next-generation-firewall) Threat
Prevention security subscription.

## Chain of Events for Infections Using the BazarCall Method

BazarCall infections follow a distinct pattern of activity. See Figure 1 for a flow chart showing the
chain of events.

Figure 1. BazarCall chain of events
Chain of Events for an Infection Using the BazarCall Method:

A trial subscription-themed email with a phone number to a call center for assistance.
Victim calls the phone number from the email.
Call center operator guides the victim to a fake company website.
Victim downloads a Microsoft Excel file from the website.
The call center operator instructs the victim to enable macros on the downloaded Excel file.
The vulnerable Windows computer is infected with BazarLoader malware.
The call center operator then tells the victim that the unsubscription is successful.
BazarLoader generates command and control (C2) traffic from the infected Windows host.
Backdoor access through BazarLoader leads to post-infection activities.

These emails state that the victim’s trial subscription is ending, and the victim’s credit card will be
charged. Phone numbers in these emails change at least daily, and occasionally we have seen two
or more numbers appear during a single day.


-----

## Posing as A Victim

A video has been posted on YouTube documenting someone posing as a victim and having a center
operator guide them through the fake unsubscription process. We contacted this call center on at
least five different occasions, and the operator was a different person each time. All operators were
seemingly non-native English speakers. Two of the operators were female, and three were male.
Each operator followed the same basic script, but there were variations.

The following conversation took place on Wednesday, April 14, 2021 using a phone number from
the email shown below in Figure 2.

Figure 2. Email used by the person posing as a victim.
Operator: Customer service. How may I help you?


-----

Victim: Hi. I got an email today from a company called Paradise Books. It says I have a subscription,
and my credit card will be charged. But I've never dealt with Paradise Books. I don't remember doing
anything or going to a website for Paradise Books or anything like that.

Operator: Okay, sir. Do you have a subscription number?

Victim: Yes, hold on. It's 040*********. [Note: The last 9 digits of this number are purposely not shown
_here because this number identifies the recipient's email address.]_

Operator: Okay, I can repeat that back to you. It is 040*********.

Victim: Yes.

Operator: Yes sir, just hold on a moment let me check our system.

Victim: Okay.

_[hold music]_

Operator: Hello?

Victim: Yes.

Operator: Okay. It seems this account was opened by John Edwards, but your email starts with

_[victim's first name]._

Victim: Yes, I'm [victim's first name]. I don't know any John Edwards.

Operator: Okay, sir. You'll need to cancel the subscription. So what you need to do is go to
worldbooks dot US.

Operator: Worldbooks [states each letter phonetically] dot US.

Victim: Hold on a second. Let me get that in my web browser.

Operator: Yes? Can I read it back again?

Victim: No thank you. I have it. [typing sounds]

Operator: Hello?

Victim: Yes, hold on. It looks like it's loading.

Operator: Have you seen the website yet?

Victim: Okay, here we go. It says "World Books." So I've got a web page. I've never seen this site
before.

Operator: No problem. We can just cancel the subscription. What you need is your subscriber
number that you told me earlier.

Victim: Okay


-----

Figure 3. BazarCall website from April 14, 2021.
Operator: Can you see the subscribe button?

Victim: Yes.

Operator: When you click on that, you should be able to see unsubscribe.

Victim: Okay, I'm clicking the subscribe button.

Operator: Can you see unsubscribe?

Victim: I see a line that says, "Do you want to unsubscribe?"


-----

Figure 4. BazarCall website subscribe page with link to unsubscribe.
Operator: That is where you need to go. Can you click it?

Victim: Okay.

Operator: And then you enter the subscription number.

Victim: Gotcha. [typing sounds]


-----

Figure 5. BazarCall website unsubscribe page.
Operator: Once you do that, you will receive a confirmation document.

Victim: Okay, it's asking me what do I want to do with subscription 16184 something XLSB?


-----

Figure 6. BazarCall website unsubscribe page returns an Excel file.
Operator: That is the confirmation document. That's where you have your confirmation code.

Victim: Should I open it? Should I save it? Or what?

Operator: You can open it, if you need the confirmation. The confirmation code is important. In case
anything happens, you can call us and give us the confirmation code.

Victim: Okay.

Operator: So we can solve the issue.

Victim: Gotcha. Alright.

Operator: Did you get it?

Victim: Alright. I'm opening it right now. I see Excel Office 365. This document is protected.
Previewing is not available for protected documents. I have to press enable.


-----

Figure 7. Screenshot of Excel file downloaded from BazarCall website.
Operator: Click editing and enable content.

Victim: Okay. [pauses] Alright. The spreadsheet changed. [pauses] It shows a form with a company
name, first name, last name, birthdate, and all that stuff.


-----

Figure 8. Excel file after enabling macros. Note the different filename on the title bar.
Operator: Okay, can you see the code? The code is the important one.

Victim: I don't see a code, no.

Operator: Okay. There are different pages. Can you see the next page?

Victim: Where is this code supposed to be?

Operator: There is a confirmation code in case you don't want to get charged but in case you get
charged, that is what you call us with in order to cancel the charge.

Victim: Okay, I still don't know where I'm supposed to find this code.

Operator: Just hold on and let me check with the department of IT.

Victim: Okay.

_[hold music for approximately 1 minute]_

Operator: Hello sir.


-----

Victim: Yes.

Operator: I've checked with the IT department, and they are saying that the cancellation went
through correctly. We are just having an issue with our servers, but the cancellation went through
successfully.

Victim: Okay.

Operator: So nothing will be charged to your account. And they've given me a code on their end.
Can I read it to you?

Victim: Yes.

Operator: The code is [spells out seven characters of an alpha-numeric code].

Victim: Okay.

Operator: In case of any problem, you can just call back and give us that code. We will be able to
resolve any issue.

Victim: Okay. Thank you.

Operator: You're welcome sir. And if you call back, you can ask for [operator's first name], because
we have many [garbled].

_[Victim repeats operator's first name]_

Operator: Yes, that's my name.

Victim: Alright, well thank you.

Operator: Have a good day.

Victim: Goodbye.

Operator: Goodbye sir.

## Infection Traffic

After macros are enabled on the downloaded Excel file, the BazarLoader DLL is dropped, and it
[generates a URL containing the string campo. This type of URL is called Campo Loader, which acts](https://fr3d.hk/blog/campo-loader-simple-but-effective)
as a gateway that redirects traffic to malware. Some examples of Campo Loader URLs generated
by a BazarLoader DLL are shown below in Table 1.

**Date** **URL**

2021-03-25 hxxp://whynt[.]xyz/campo/w/w

2021-03-29 hxxp://veso2[.]xyz/campo/r/r1

2021-03-31 hxxp://about2[.]xyz/campo/a/a1


-----

2021-04-07 hxxp://basket2[.]xyz/campo/u/u1

2021-04-08 hxxp://dance4[.]xyz/campo/d8/d9

2021-04-14 hxxp://glass3[.]xyz/campo/gl/gl3

2021-04-15 hxxp://idea5[.]xyz/campo/id/id8

2021-04-16 hxxp://keep2[.]xyz/campo/jl/jl7

_Table 1. Recent Campo Loader URLs generated by BazarCall spreadsheet macros._

Figure 9 shows a Campo Loader URL from April 14, 2021 redirecting to a URL for BazarLoader.

Figure 9. Campo Loader URL successfully redirecting to a URL for BazarLoader.
Examples of recent URLs for BazarLoader EXE files are shown below in Table 2.

**Date** **URL**

2021-03-25 hxxp://whynt[.]xyz/uploads/files/dl8x64.exe

2021-03-29 hxxp://admin.yougleeindia[.]in/theme/js/plugins/o1e.exe

2021-03-29 hxxp://admin.yougleeindia[.]in/theme/js/plugins/rt3ret3.exe

2021-03-31 hxxp://about2[.]xyz/uploads/files/ret5er.exe

2021-04-07 hxxp://www.carsidecor[.]com/wp-content/uploads/2021/04/cv76.exe

2021-04-08 hxxp://dance4[.]xyz/uploads/files/10r3.exe

2021-04-14 hxxp://glass3[.]xyz/uploads/files/hah5.exe

2021-04-15 hxxp://idea5[.]xyz/uploads/files/ratan.exe

2021-04-15 hxxp://idea5[.]xyz/uploads/files/rets.exe

2021-04-16 hxxp://keep2[.]xyz/uploads/files/suka.exe

_Table 2. Recent URLs for BazarLoader malware._

The BazarLoader executable generates HTTPS C2 traffic noted below in Figure 10.


-----

Figure 10. Traffic from the BazarLoader infection.

## Forensics on Infected Windows Host

This section describes forensics on an infected Windows host from April 14, 2021. SHA256 hash for
the downloaded spreadsheet is:

db53f42e13d2685bd34dbc5c79fad637c9344e72e210ca05504420874e98c2a6

Macros from the downloaded Excel file create artifacts in the Windows computer’s C:\Users\Public
directory as shown in Figure 11.


-----

Figure 11. Artifacts were created after enabling macros from the downloaded Excel file on April 14,
2021
File information is shown below in Table 3. The first two are text files with the same SHA256 hash.
The other file is a BazarLoader DLL.


**File name** **File**
**type**

130486.xlsb ASCII
text

130486.dot ASCII
text


**SHA256 hash**

2632c0cc222a6d436b50a418605a7bd4fa8f363ab8d93d10b831cdb28a2ac1bc

2632c0cc222a6d436b50a418605a7bd4fa8f363ab8d93d10b831cdb28a2ac1bc


130486.pgj DLL f3b5cf1e40aed4567a8996cf107285907d432b4bc8cc3d0b46aae628813d82d4

_Table 3. Artifacts from a BazarCall spreadsheet seen on April 14, 2021._

130486.xlsb and 130486.dot consist of an American Standard Code For Information Interchange
(ASCII) string with base64 text. This text represents the BazarLoader dynamic link library (DLL) file.
Macro code from the downloaded Excel file converts the base64 text to a DLL named 130486.pgj
and runs this DLL using the following script commands:

cmd.exe /c certutil -decode %PUBLIC%\130486.dot %PUBLIC%\130486.pgj
rundll32 %PUBLIC%\130486.pgj,DF1

Keep in mind these files are from one specific example. Artifacts generated from other spreadsheets
have different names and different file extensions. Common characteristics include:

All three artifacts have the same name, but different file extensions.


-----

Two of the artifacts are ASCII strings with base64 text.
One of the artifacts is a DLL for BazarLoader.
One of the text-based artifacts uses an .xlsb file extension.

The DLL is designed to retrieve a BazarLoader EXE. In our example from April 14, 2021, the
BazarLoader EXE was saved to a folder under the C:\ProgramData directory as shown below in
Figure 12.

Figure 12. Windows EXE file for BazarLoader.

## Follow-Up Activities

BazarLoader provides backdoor access to an infected Windows host. In some cases, Cobalt Strike
[is seen as follow-up malware, leading to other malware like Anchor. At least two cases have been](https://malpedia.caad.fkie.fraunhofer.de/details/win.anchor)
publicly documented where BazarLoader malware led to Cobalt Strike and then to Anchor malware.
[One case happened in February 2021, and the other case happened in March 2021.](https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/)

However, BazarLoader is not limited to just Cobalt Strike and Anchor as follow-up malware. 2020
saw reports of [BazarLoader leading to ransomware like Ryuk. Backdoor access to an infected](https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ryuk-2020-distributing-ransomware-via-trickbot-and-bazarloader)
Windows host could lead to any family of malware.


-----

## Conclusion

As early as February 2021, we have seen several reports of the BazarCall method distributing
BazarLoader malware using call center personnel. These infections follow noticeable patterns, and
they can lead to other malware like Cobalt Strike, Anchor and Ryuk ransomware.

Organizations with decent spam filtering, proper system administration and up-to-date Windows
hosts have a much lower risk of infection from BazarLoader malware and its post-infection activity.
[Palo Alto Networks Next-Generation Firewall customers are further protected from this threat with a](https://www.paloaltonetworks.com/network-security/next-generation-firewall)
[Threat Prevention security subscription.](https://www.paloaltonetworks.com/products/secure-the-network/subscriptions/threat-prevention)

Palo Alto Networks has shared our findings, including file samples and indicators of compromise
described in this report, with our fellow Cyber Threat Alliance (CTA) members. CTA members use
this intelligence to rapidly deploy protections to their customers and to systematically disrupt
malicious cyber actors. For more information on the Cyber Threat Alliance, visit
[www.cyberthreatalliance.org.](https://www.cyberthreatalliance.org/)

## Indicators of Compromise

**Appendix A**

[Examples of BazarCall emails (March and April 2021): GitHub repository.](https://github.com/pan-unit42/iocs/blob/master/BazarCall/Appendix-A.txt)

**Appendix B**

Examples of domains hosting the fake websites used for the BazarCall method (March and April
[2021): GitHub repository.](https://github.com/pan-unit42/iocs/blob/master/BazarCall/Appendix-B.txt)

**Appendix C**

96 examples of Excel spreadsheets from unsubscribe pages from fake websites using the BazarCall
[method (March and April 2021): GitHub repository.](https://github.com/pan-unit42/iocs/blob/master/BazarCall/Appendix-C.txt)

**Appendix D**

11 examples of BazarLoader DLL files dropped by Excel spreadsheet macros (March and April
[2021): GitHub repository.](https://github.com/pan-unit42/iocs/blob/master/BazarCall/Appendix-D.txt)

**Appendix E**

SHA256 hashes for 24 examples of BazarLoader EXE files retrieved by BazarLoader (March and
[April 2021): GitHub repository.](https://github.com/pan-unit42/iocs/blob/master/BazarCall/Appendix-E.txt)

**Get updates from**

**Palo Alto**

**Networks!**

Sign up to receive the latest news, cyber threat intelligence and research from us


-----

[By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement.](https://www.paloaltonetworks.com/legal-notices/terms-of-use)


-----