A trio of offshoots from the notorious Conti cybercrime cartel have resorted to the technique of call-back phishing as an initial access vector to breach targeted networks.
“Three autonomous threat groups have since adopted and independently developed their own targeted phishing tactics derived from the call back phishing methodology,” cybersecurity firm AdvIntel said in a Wednesday report.
These targeted campaigns “substantially increased” attacks against entities in finance, technology, legal, and insurance sectors, the company added.
The actors in question include Silent Ransom, Quantum, and Roy/Zeon, all of which split from Conti after the ransomware-as-a-service (RaaS) cartel orchestrated its shutdown in May 2022 following its public support for Russia in the ongoing Russo-Ukrainian conflict.
The advanced social engineering tactic, also called BazaCall (aka BazarCall), came under the spotlight in 2020/2021 when it was put to use by operators of the Ryuk ransomware, which later rebranded to Conti.
It’s said to have received substantial operational improvements in May, around the same time the Conti team was busy coordinating an organization-wide restructuring while simulating the movements of an active group.
The phishing attack is also unique in that it forgoes malicious links or attachments in email messages in favor of phone numbers that recipients are tricked into calling by alerting them of an upcoming charge on their credit card for a premium subscription.
If a target recipient falls for the scheme and decides to call the phone number indicated in the email, a real person from a fraudulent call center set up by BazaCall’s operators attempts to convince the victim to grant the customer service person remote desktop control to help cancel the supposed subscription.
With access to the desktop, the threat actor stealthily takes steps to infiltrate the user’s network as well as establish persistence for follow-on activities such as data exfiltration.
“Call back phishing was the tactic that enabled a widespread shift in the approach to ransomware deployment,” AdvIntel said, adding the “attack vector is intrinsically embedded into the Conti organizational tradition.”
Silent Ransom, the “progenitor of BazarCall” and the first derivative group to move away from Conti in March 2022, has since been linked to a string of data extortion attacks that entail gaining initial access through subscription expiry emails that claim to notify users of pending payment for Zoho Masterclass and Duolingo services.
“These attacks can be categorized as data breach ransom attacks, in which the main focus of the group is to gain access to sensitive documents and information, and demand payment to withhold publication of the stolen data,” Sygnia noted last month, describing the infection procedure.
The Israeli cybersecurity company is tracking the activities of Silent Ransom under the moniker Luna Moth.
The success of Silent Ransom’s highly specified phishing operations have also prompted two other Conti spin-offs, namely Quantum and Roy/Zeon, to follow the same approach starting mid-June 2022, while simultaneously giving their own spin.
While Quantum has been implicated in the devastating ransomware attacks on the Costa Rican government networks in May, Roy/Zeon – which consists of members “responsible for the creation of Ryuk itself” – has demonstrated an extremely selective targeting approach, typically favoring companies with high average revenue.
“Roy/Zeon, as the most skilled social engineer of the three groups, has the largest number of interchangeable and adjustable [Indicators of Compromise] and impersonation schemes that it selects from based on its target,” AdvIntel researchers Yelisey Boguslavskiy and Marley Smith pointed out.
It’s worth noting that Quantum, also known as the main Conti subdivision, takes its name from another RaaS group of the same name that appeared as a rebranded MountLocker operation in September 2021, before being consumed by Conti in April 2022 during its reorg.
Unlike Silent Ransom, which uses falsified emails imitating subscription notices as a lure, Quantum’s “increasingly sophisticated” spam campaigns are known to proliferate via missives impersonating brands like Oracle and CrowdStrike, as divulged by the cybersecurity firm itself last month.
“As threat actors have realized the potentialities of weaponized social engineering tactics, it is likely that these phishing operations will only continue to become more elaborate, detailed, and difficult to parse from legitimate communications as time goes on,” the researchers said.
The findings come as industrial cybersecurity company Dragos disclosed the number of ransomware attacks on industrial infrastructures decreased from 158 in the first quarter of 2022 to 125 in the second quarter, a drop it attributed with low confidence to Conti closing shop.
That’s not all. Blockchain analytics firm Elliptic revealed this week that the Russia-linked Ryuk and Conti groups have laundered over $145 million in crypto assets through RenBridge, a cross-chain bridge that allows virtual funds to be transferred between blockchains, since 2020, underscoring the continued abuse of the decentralized and unregulated nature of cryptocurrencies.