Cybersecurity researchers at Proofpoint have discovered a new phishing campaign used by the BazarLoader operators. Threat actors bypass automated threat detection systems and infect systems with BazarLoader malware.

In a new campaign dubbed BazaFlix, attackers are distributing emails on behalf of streaming services. The email messages were announcing that the trial or demo is about to expire and that the user's payment card is about to be charged for the premium plan.

The emails come with a phone number that recipients can call to cancel the subscription. Attackers on the other end of the line suggest the website of an alleged streaming service called BravoMovies from a company called UrbanCinema. The site looks quite realistic enough, using movie posters from various public sources.

Following the instructions to unsubscribe from BravosMovies streaming services, users get to download a malicious Excel document with macros that install BazarLoader malware. Once the system is infected, BazarLoader operators can provide access for various cybercriminal groups, including ransomware operators.

Source: securitylab.ru