• News
  • Security
  • Products
  • About Seqrite
Blogs on Information Technology, Network & Cybersecurity | Seqrite Blog
  • News
  • Security
  • Products
  • About Seqrite
Home  /  Cybersecurity • Malware • Phishing • Technical  /  Calling from the Underground: An alternative way to penetrate corporate networks
Calling from the Underground: An alternative way to penetrate corporate networks
11 January 2023

Calling from the Underground: An alternative way to penetrate corporate networks

Written by Sathwik Ram Prakki
Sathwik Ram Prakki
Cybersecurity, Malware, Phishing, Technical

Threat actors use multiple methods to distribute malware to infect specific targets. Even though various phishing methods are actively used and evolving, an alternative approach to increase their success rate is to call the target corporate companies. Techniques like BazaCall have been observed since 2021. In this technique, a call is made to the target to make them click on malicious links, leading them to install malware unknowingly.

Threat actors like affiliates of ransomware groups have started to utilize this technique to infect targets across the world. They recruit callers who work on phishing campaigns, called the “Callback phishing” technique. With the emergence of such methods, the search for so-called callers is also increasing. Additionally, new callers are making themselves available on the underground forums. The figure below illustrates an advertisement in one of the underground forums wherein the threat actor can be seen posting details of the “job” and inviting callers to join with a promise of revenue-sharing.

Fig. 1 – Threat actor in search of caller services

As evident from the above advertisement, RAT (Remote Administration Tool) stubs are provided to be installed specifically targeting carriers in the USA and UK.

A Caller’s Perspective

Callers provide their services based on the target and are willing to call as many times as necessary to succeed in their mission. Most services offer English callers as the US and UK are the most targeted locations by cybercrime groups, and they work actively every week. They compel the victims to click on malicious links and install a malicious executable through social engineering and phishing.

Another technique explicitly used by these callers targeting various sectors is called Callback Phishing. They make phone calls through various SIM cards registered to different geographical locations. One such threat actor on telegram has multiple Russian SIM cards offering a higher success rate.

Fig. 2 – Threat actor offering caller services

Some of these callers don’t send phishing links to individual targets but operate on bulk orders based on the database provided to them. They make these calls from toll-free numbers like 800 or 888 for more credibility rather than using suspicious SIMs that might get blocked. The threat actors demand a premium price, the lowest being a thousand dollars that includes these toll-free numbers and a connection fee. A big chunk of the money goes as salaries to the operators who sit and call for “long and efficient” communication to make the target install the malicious payloads or click the phishing links that redirect to them.

An Affiliate’s Perspective

The threat actors on the forums eagerly seek to hire callers to encrypt the victim’s network. We have observed ransomware affiliates, working with Hive and Quantum, target companies in the manufacturing and legal sectors in the USA and Canada with more than $10M in revenue. Manufacturing being the most attacked sector doesn’t come as a surprise. However, targeting the legal industry is not regular, indicating that threat actors will also pivot their victims based on their financial motives and geopolitical interests.

Fig. 3 – Spam Mail to fetch phone details

These affiliates agree on a percentage of the ransom amount and provide a salary based on a long-term partnership. Sometimes even spam email formats are provided to get the target’s name, contact number, email, and property address, where it imitates people from various companies such as Blue Raven Solar, and Zillow home loans, among others, to lure them. Once the target falls for the scam and provides these details, the callers start engaging conversations where they convince the victims to install payloads provided by these affiliates.

Fig. 4 – Spam Mail to fetch personal details

Instead of sending documents that contain malicious links, the affiliates provide ISO files as attachments, carrying the actual ransomware payloads in an encrypted format that can bypass detections. In some cases, the affiliates do not get the ISO files to distribute them seamlessly. Instead, they get the encrypted ransomware payloads converted to ISO format using a separate set of coders.

Fig. 5 – Spam Mail randomization (1)

Spammers demand at least 100,000 emails be sent out in bulk to work for a long-term partnership that gives options to randomize the email format, as shown below, where most of them are related to insurance data to lure the targets easily.

Fig. 6 – Spam Mail randomization (2)

Fig. 7 – Spam Mail randomization (3)

Recent Campaigns

The recent BazarCall campaign, utilized by new groups that rose from Conti, sends out emails with phone numbers that read that the target has subscribed to a service with auto-renewal. As the victims contact the provided number to cancel the subscription, the operators convince them to allow remote access to their devices. While the conversation continues, a network operator sneaks into the target’s network to fetch initial access to the device to maintain a remote session later used to install a backdoor. Malware such as BazaarLoader, Trickbot, and IcedID was delivered as BazarCall’s tactics evolved that primarily target the US, Canada, and some Asian countries.

Threat actors are not only looking for English callers but other spoken languages like Spanish, Italian, German, and Norwegian, too, so that they can expand their targets.

Fig. 8 – Job search for callers

Conclusion

Corporate companies should be aware that threat actors are using caller services as a new way to infect their systems with payloads such as ransomware and other types of malware. These services provide multi-language operators who work with email spammers to spread malicious links. To protect against such attacks, it is crucial to take caution when receiving suspicious or unknown emails with URLs or attachments and to avoid clicking or opening them.

 Previous PostYour Data and Devices are safe with SEQRITE
Next Post  Uncovering LockBit Black’s Attack Chain and Anti-forensic a...
Sathwik Ram Prakki

About Sathwik Ram Prakki

Sathwik Ram Prakki is working as a Security Researcher in Security Labs at Quick Heal. His focus areas are Threat Intelligence, Threat Hunting, and writing about...

Articles by Sathwik Ram Prakki »

Related Posts

  • ZTNA Use Cases and Benefits for BFSI

    May 19, 2025
  • Market Guide for Choosing the Right ZTNA Solution

    May 14, 2025
  • Protect What Matters Most with Data Discovery and Classification

    May 12, 2025
Featured Authors
  • Seqrite
    Seqrite

    Follow us for the latest updates and insights related to security for...

    Read more..
  • Sanjay Katkar
    Sanjay Katkar

    Sanjay Katkar is the Joint Managing Director of Quick Heal Technologies...

    Read more..
  • Mahua Chakrabarthy
    Mahua Chakrabarthy

    A tea connoisseur who firmly believes that life is too short for dull content....

    Read more..
Topics
apt (19) Cyber-attack (35) cyber-attacks (58) cyberattack (16) cyberattacks (13) Cybersecurity (322) cyber security (31) Cyber threat (33) cyber threats (48) Data (11) data breach (55) data breaches (28) data loss (28) data loss prevention (34) data privacy (11) data protection (24) data security (15) DLP (49) Encryption (16) endpoint security (107) Enterprise security (17) Exploit (14) firewall (11) GDPR (12) hackers (11) malware (76) malware attack (23) malware attacks (12) MDM (25) Microsoft (15) Network security (22) Patch Management (12) phishing (27) Ransomware (67) ransomware attack (30) ransomware attacks (30) ransomware protection (13) security (11) Seqrite (33) Seqrite Encryption (27) Seqrite EPS (33) Seqrite Services (16) UTM (34) Vulnerability (16) windows (11)
Loading
Resources
  • White Papers
  • Datasheets
  • Threat Reports
  • Manuals
  • Case Studies
About Us
  • About Seqrite
  • Leadership
  • Awards & Certifications
  • Newsroom
Archives
  • By Date
  • By Category
Loading

© 2025 Quick Heal Technologies Ltd. Cookie Policies Privacy Policies