BravoMovies: Scammers use fake movie streaming service to trick people into downloading BazaLoader backdoor

The scam starts with an email telling people they can watch millions of movies and TV shows on BravoMovies

Security researchers at Proofpoint claim to have identified a new malware campaign that uses a fake movie streaming website to trick people into downloading malware on their devices.

According to researchers, the attackers have created a fake website for a movie streaming service called BravoMovies, which they have been using for the past one month to spread the data-stealing BazaLoader malware in order to steal sensitive data from their systems.

The campaign starts with cyber criminals sending emails to people, telling them they can watch millions of movies and TV shows on BravoMovies for a small monthly fee.

The message, which also provides the company's phone number, warns recipients that they signed up for a free trial offer in the past and will now be charged the full £28 ($40) monthly subscription fee unless they cancel their plan.

If the recipient calls the phone number provided in the message, a scammer takes the call and guides the person to the firm's malicious website to help cancel their subscription.

The website, which looks professionally-designed and convincing (with movies posters and pricing details), asks the user to input their personal details and then download an Excel document.

The document further requests permission from the user to "Enable Content" and then uses malicious macros to download BazaLoader malware on the device.

According to researchers, BazaLoader creates a backdoor can be used later to deliver additional malware attacks, including ransomware.

In the past, cyber criminals have used BazaLoader to deliver the notorious Ryuk ransomware.

"Using entertainment subscription themes may be a timely and effective method for convincing users to engage with the email content and follow-on malicious documents," the Proofpoint researchers said in an online post.

"During the Covid-19 pandemic in 2020, subscriptions to online streaming services skyrocketed, surpassing one billion users globally last year. But according to recent 2021 data, consumers are using fewer services while churning through free subscriptions and cancelling when their trials run out. BazaLoader threat actors are taking advantage of this human behaviour trend in the identified campaign," they added.

Earlier this month, researchers at Palo Alto's Unit 42 team also reported a similar campaign using BazaLoader malware. They named it "BazarCall" because it involved fake customer support representatives directing users to websites that delivered spreadsheets containing malicious macros.

In that campaign, the phishing emails claimed to come from a book service, warning about the trial subscription coming to an end.