cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Cyber security companies impersonated in call-back malware campaign

This week, CrowdStrike sent an alert to their customers warning of a call-back malware campaign that has been designed to impersonate CrowdStrike and other cyber security companies.

user iconReporter
Mon, 11 Jul 2022
Cyber security companies impersonated in call-back malware campaign
expand image

The phishing email implies the recipient’s company has been breached and insists the victim call the included phone number, according to CrowdStrike Intelligence. The campaign leverages similar social-engineering tactics to those employed in recent callback campaigns including WIZARD SPIDER’s 2021 BazarCall campaign.

CrowdStrike Intelligence identified the call-back phishing campaign impersonating cyber security companies on 8 July 2022 and has deduced this campaign would likely include common legitimate remote administration tools (RATs) for initial access, off-the-shelf penetration testing tools for lateral movement, and the deployment of ransomware or data extortion.

The call-back campaign has employed emails that appear to originate from prominent security companies. According to CrowdStrike Intelligence, the message claims the security company identified a potential compromise in the recipient's network. As with prior call-back campaigns, the operators provide a phone number for the recipient to call.


CrowdStrike Intelligence explains that historically, call-back campaign operators attempt to persuade victims to install commercial RAT software to gain an initial foothold on the network.

For example, CrowdStrike Intelligence team identified a similar call-back campaign in March 2022 in which threat actors installed AteraRMM followed by Cobalt Strike to assist with lateral movement and deploy additional malware.

While CrowdStrike Intelligence cannot currently confirm the variant in use, the call-back operators will likely use ransomware to monetise their operation. This assessment is made with moderate confidence, as 2021 BazarCall campaigns would eventually lead to Conti ransomware — though this ransomware-as-a-service (RaaS) recently ceased operations.

This is the first identified call-back campaign impersonating cyber security entities and has higher potential success given the urgent nature of cyber breaches.

The company asserts CrowdStrike will never contact customers in this manner and has urged any customers receiving an email that fit the description on their alert should forward phishing emails to the CrowdStrike team for investigation.

[Related: Russian hackers blamed for cyber attack on Ukrainian energy firm DTEK Group]

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.