Researchers at AdvIntel warn that three more ransomware groups have begun using the BazarCall spear phishing technique invented by the Ryuk gang (a threat group that subsequently rebranded as Conti). BazarCall callback phishing allows threat actors to craft much more targeted social engineering attacks designed for specific victims. The researchers outline the four stages of this technique:

“Stage One. The threat actor sends out a legitimate-looking email, notifying the target that they have subscribed to a service for which payment is automatic. The email gives a phone number that targets are able to call to cancel their subscription.
“Stage Two. The victim is lured into contacting a special call center. When operators receive a call, they use a variety of social engineering tactics, to convince victims to give remote desktop control, ostensibly to help them cancel their subscription service.
“Stage Three. Upon accessing the victim’s desktop, a skilled network intruder silently entrenches into the user’s network, weaponizing legitimate tools that were previously typical of Conti’s arsenal. The initial operator remains on the line with the victim, pretending to assist them with the remote desktop access by continuing to utilize social engineering tactics.
“Stage Four. In the final stage of BazarCall, the initiated malware session yields the adversary access as an initial point of entry into the victim’s network. This initial access is then used and exploited in order to target an organization’s data.”
The researchers conclude that more ransomware actors will likely incorporate this technique into their own attacks.

“Since its resurgence in March earlier this year, call back phishing has entirely revolutionized the current threat landscape and forced its threat actors to reevaluate and update their methodologies of attack in order to stay on top of the new ransomware food chain,” AdvIntel says.

“Other threat groups, seeing the success, efficiency, and targeting capabilities of the tactic have begun using reversed phishing campaigns as a base and developing the attack vector into their own. This trend is likely to continue: As threat actors have realized the potentialities of weaponized social engineering tactics, it is likely that these phishing operations will only continue to become more elaborate, detailed, and difficult to parse from legitimate communications as time goes on.”

Conti as such may no longer be an active brand, but its operators haven’t retired. New-school security awareness training can teach your employees to thwart evolving social engineering tactics.