More sophisticated BazarCall campaigns have been circulating and delivering ransomware entry points to victims. While the bait still involves urgent notification emails about nonexistent purchases or subscriptions, the subsequent phase highlights the threat actors’ manipulative skills. They offer to help the victim fix a fictitious malware infection or hacking incident, eventually convincing the victim to download and execute a malicious file.

Our research team analyzed recently published BazarCall indicators of compromise (IoCs) to find more artifacts. We used 64 domains identified as IoCs as a starting point and found:

48 IP addresses to which the IoCs resolved, most of which are geolocated in the U.S.

• 303 additional artifacts since they shared the IoCs’ IP addresses
• Two unredacted registrant details used to register the domains tagged as IoCs
• 832 domains connected to the IoCs since they shared the same registrant details
• 6,100+ domains bearing the same text strings as the IoCs
• 7% of the artifacts we uncovered have been flagged as malicious

A sample of the additional artifacts obtained from our analysis is available for download from our website.

What We Know about the IoCs

While threat actors were seen impersonating companies like McAfee, Norton, Microsoft, and PayPal in the campaign, most of the domains tagged as IoCs were generic.

Except for a few that contained the string “windows,” a majority of the domains had recurring strings, such as “support,” “care,” and “help.” Over half of the IoCs fell under the .xyz and .com TLD spaces.

Threat Analysis and Expansion

As part of our threat expansion, we searched the DNS for newly added domains that looked similar to the IoCs. We found 6,120 domains added between 1 September to 21 October 2022 that begin with the strings used in the IoCs, such as “help,” “support,” “asupport,” “caresupport,” “helpdesk,” and “login0.”

We then subjected the domains to WHOIS lookups, revealing that most of them had NameSilo and GoDaddy as registrars. It also led us to two unredacted registrant details, which were used to register 832 other domain names.

Furthermore, our DNS analysis revealed that 44 IoCs had IP resolutions mostly geolocated in North America. These locations coincided with the recent BazarCall campaign infection map, which was heavily concentrated in Canada and the U.S.

Moreover, about one-third of the IP hosts were assigned to an ISP called “ColoCrossing.”

We also looked for connected domains that shared the same IP addresses as the IoCs. While some were shared by hundreds of other domains, several appeared to be dedicated with only a few resolving domains. In total, we found 303 IP-connected domains.

A deeper infrastructure analysis of the IoCs revealed configuration issues. For instance, most of their SSL certificates were either nonexistent or recently obtained.

Content Analysis of IoCs and Related Artifacts

Since several IoCs remain active, we analyzed their content using a website screenshot service. Several domains hosted the same content, albeit with different color schemes. Below are a few examples.

Interestingly, we also found some artifacts that hosted the same type of content. For example, nthelp[.]live and chelp[.]live both resolved to 192[.]210[.]149[.]51, which was also the IP address of one of the IoCs—nhelp[.]live. Their website screenshots are shown below.

Aside from these technical support-related domains and content, we may have also uncovered an ongoing campaign targeting social media users needing help. The website screenshots of string-connected artifacts, help-insta-gram-form[.]cf, help-twitter-centre[.]net, and help-twitter-notice[.]net looked like the imitated social media pages.

Malware Check for the Artifacts

A bulk domain malware check revealed that about 7% of the artifacts were flagged as malicious. Many of them remain active like those hosting social media pages and content similar to the IoCs.

Also, note that most of the artifacts have only been added in less than two months (between 1 September and 21 October 2022).

Conclusion

Callback phishing only works when the target victim takes the bait and calls the number indicated in the email. But the lures are often convincingly urgent and trust-evoking, such as the support-related domains hosting legitimate-looking pages revealed in this study.

Still, comprehensive threat intelligence that doesn’t leave any stone unturned can help protect potential victims from dangerous properties and their connections.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.