Conti Cybercrime Cartel Leverages ‘BazarCall’ Phishing Attacks as Entry Point

A recent report reveals that three splinter groups from the infamous Conti cybercrime organization have adopted call back phishing as a primary method for breaching targeted networks. This technique marks a significant shift in their approach to cyberattacks.

Cybersecurity firm AdvIntel disclosed in a Wednesday report that these three independent threat groups—Silent Ransom, Quantum, and Roy/Zeon—have evolved unique phishing tactics based on this methodology. Their coordinated campaigns have notably escalated attacks against industries including finance, technology, legal, and insurance.

These actors emerged after Conti orchestrated its shutdown in May 2022, which followed a controversial public stance in support of Russia amid the ongoing Russo-Ukrainian conflict. The segmentation into independent units seems to have allowed them to innovate their tactics while maintaining a connection to Conti’s methodologies.

Known as BazaCall, this advanced phishing tactic gained notoriety between 2020 and 2021, initially employed by the Ryuk ransomware operators, who later rebranded as Conti. Recent updates to this method have reinforced its effectiveness, allowing attackers to exploit it further.

Unlike traditional phishing schemes that rely on harmful links or attachments within emails, BazaCall often involves sending messages that prompt victims to call a related phone number under the guise of addressing a supposed charge on their credit card. Upon making the call, victims are engaged by operatives from a fraudulent call center, deceived into granting remote access to their desktop to assist with canceling a non-existent subscription.

Once the attackers gain control, they can infiltrate the victim’s network and maintain access for future operations, such as data exfiltration. AdvIntel confirmed that call back phishing validates a pivotal shift in ransomware deployment strategies, suggesting it is deeply rooted in the practices established by Conti.

Silent Ransom, recognized as the originator of BazarCall, was the first to separate from Conti in March 2022, and is now associated with numerous data extortion attacks. These attacks often involve phishing campaigns relying on deceptive emails about subscription expirations for services like Zoho Masterclass and Duolingo. This approach prioritizes accessing sensitive information to demand payment for not disclosing the stolen data.

These developments come alongside the findings from Israeli cybersecurity firm Sygnia, which noted that Silent Ransom’s operations are classified under the name Luna Moth. The success of their targeted phishing campaigns has led other Conti offshoots, Quantum and Roy/Zeon, to adopt similar strategies. These groups have particularly honed their phishing capabilities since mid-June 2022, each incorporating their own unique elements into the approach.

Quantum has been implicated in ransomware attacks affecting critical sectors, including the Costa Rican government networks. Meanwhile, Roy/Zeon has displayed a meticulous targeting approach, showing a preference for high-revenue companies. The intricate social engineering tactics deployed by Roy/Zeon have yielded them a formidable advantage in selecting appropriate schemes based on targets.

Notably, Quantum, associated with another RaaS group before being subsumed by Conti, employs increasingly refined spam campaigns that impersonate trusted brands. Such evolution reflects a broader trend of cybercriminals harnessing elevated social engineering tactics to make phishing schemes more sophisticated and difficult to distinguish from legitimate communications.

The trends of these phishing operations coincide with a decrease in ransomware incidents targeting industrial infrastructure, as confirmed by Dragos. The closure of Conti may have influenced this metric. Additionally, blockchain analytics firm Elliptic reported significant laundering activities by Ryuk and Conti groups, surfacing over $145 million in cryptocurrency through decentralized platforms, accentuating the ongoing exploitation of the unregulated nature of digital currencies.