Archives 2021

Why doesn’t my webphone/Viciphone work anymore?

webrtc installation

Why doesn’t my webphone/Viciphone work anymore?

UPDATE: October of 2023

There is a new issue since the evolution of the ViciPhone version 3 and CyburPhone version 3.2.5 that has been happening and I will go over how to solve it for everyone. The new feature in ViciDial that uses a settings container called “viciphone settings” has a setting by default that has the webphone dial its own extension which then gets you a result of a sound file telling you that “The number you have dialed is not in service”. The solution for this is simple, just need to change one line in the settings container as described below:

  1. Go into your Vicidial admin GUI
  2. Click on Admin and then Settings Containers
  3. Change the line that says “dialRegExten” from a 1 to a 0 as shown below

This will now fix your webphone. If you have any questions feel free to comment below or join our live support on Skype: https://join.skype.com/ujkQ7i5lV78O

2021 Issue Solution:

This article is to help those of you having problems with viciphone lately. It seems that googles stun server has reached end of life and no longer works correctly. You need to change the stun server to a different one. Here is a list of public stun servers:

Free Public STUN servers

https://gist.github.com/mondain/b0ec1cf5f60ae726202e

How do I change my STUN server for viciphone?

Good question, you need to edit your rtp.conf file for asterisk.

  • cd /etc/asterisk
  • nano rtp.conf
  • scroll down to the very bottom and change it to one on the list above

That’s it, youre done. If you have any problems or questions feel free to comment below.

I hope this helps.

-Chris aka Nox

T-Mobile is fighting back against scam calls with 100% STIR/SHAKEN compliance

STIR/SHAKEN – What to know

BELLEVUE, Wash. — June 30, 2021 — T-Mobile (NASDAQ: TMUS) today announced that it has filed a certification of completion of STIR/SHAKEN implementation in the Federal Communications Commission’s Robocall Mitigation Database. With the filing, the Un-carrier is certifying that all calls originating on the T-Mobile network are 100% STIR/SHAKEN compliant.

STIR/SHAKEN
STIR/SHAKEN

T-Mobile was the first US wireless provider to work with all other major networks to implement STIR/SHAKEN to fight number spoofing and further protect customers from scammers. With these partnerships, T-Mobile authenticates calls with wireless and network providers that collectively represent around 98% of wireless customers in the U.S.

Number Verification provided by STIR/SHAKEN, coupled with free Caller ID provided by T-Mobile Scam Shield, helps T-Mobile customers rest assured that the calls they receive are authenticated as coming from the phone number displayed in Caller ID and have not been spoofed. This makes Caller ID even stronger in the fight against scam and robocalls, and with Scam Shield, all T-Mobile, Metro by T-Mobile and Sprint brand individuals, families and small business get free Caller ID.

T-Mobile currently provides STIR/SHAKEN implementations with AT&T, Comcast, Spectrum Voice from Charter Communications, UScellular, and Verizon Wireless as well as Altice USA, Bandwidth, Brightlink, Clear Rate, Google Fi, Inteliquent, Intrado, Magicjack, Peerless, and Twilio.

What you need to know

  • Calls originating on the T-Mobile network are 100% STIR/SHAKEN compliant.
  • T-Mobile has implemented STIR/SHAKEN with 15 other carriers.
  • STIR/SHAKEN works with T-Mobile’s Caller ID to make sure the displayed number is accurate.

Scam and spam calls can often come from a number that looks familiar or spoofs another trusted number, so a traditional caller ID may not be effective against these calls. STIR/SHAKEN works to verify that a call is coming from the claimed source.

John Freier, Executive Vice President of T-Mobile Consumer Group, said:

Number Verification, along with Caller ID, and the scam identification and blocking tools in Scam Shield, gives our customers the industry’s most comprehensive free scam and spam protection.

We were first to implement number verification in 2019 and today, all calls originating on the T-Mobile network are 100% STIR/SHAKEN compliant, giving our customers peace of mind that their calls are protected against scammers and spammers.

STIR/SHAKEN (Secure Telephone Identity Revisited and Signature-based Handling of Asserted Information Using toKENs) is a method of verifying that phone calls made over IP are actually coming from the proper origin by having the caller ID signed by the originating carrier. Calls made over IP are routed over an internet protocol and are required by the FCC for STIR/SHAKEN. This method is now being used by every major carrier, including T-Mobile, as it increases its reliance on 5G coverage, which uses IP for calls.

How can my business become STIR/SHAKEN compliant?

That’s simple. Sign up with the pioneers of this new STIR/SHAKEN technology and leading VoIP providers in the world at www.tiltx.com. We also invite you to check out our webinar featuring the guys from TIltx and Matt Florell from the ViciDial Group which goes over how this technology works and how to implement it on your system with “the easy button”. They have really made this process extremely easy and we are always here to help you do it on your system if you need help. Just call us at 844-PC-SATA-2 or 1(725)22-CYBUR

Do you provide STIR/SHAKEN service?

Great question, yes we do. We offer two plans of service, one which covers only your cloud based phone system hosting starting at just $15 USD per user or or all inclusive plan which comes with everything you need to run your business, including the phone system with unlimited STIR/SHAKEN minutes and DID compliant phone numbers, customer relations management, full security module including ransomware protection, timeclocks and human resources modules and so much more with prices starting out as low as %85 USD per user. For more information click here.

How to – Integrate STIR/SHAKEN into Vicidial

STIR/SHAKEN

How to – Integrate STIR/SHAKEN into Vicidial

This document(written by Matt Florell) covers the TILTX SHAKEN (Call Shaper) API service features and how they integrate into VICIdial.

NOTE: you will need to use the VICIdial svn/trunk revision 3449 or higher on all servers in your cluster to use this feature.



What is the TILTX SHAKEN (Call Shaper) API service?

This service requires an AGI script to be run before each call is placed through your dialer(agi-TILTX_SHAKEN.agi). It will tag the call with SIP Headers with the "X-TILTX-ID", "Identity" and "CAID" values that TILTX returns so your carrier can route the call properly. There are also optional service features that allow for a National Do-Not-Call(DNC) list check and a Disconnected-number check, as well as CallerID Number validation/replacement "NumberRisk" service.

Reference TILTX URLs:
https://tiltx.zendesk.com/hc/en-us/articles/360060683571-TILTX-Call-Shaper-Module
https://tiltx.zendesk.com/hc/en-us/articles/4402421951885



How to set up TILTX Call Shaper on your VICIdial system:

REQUIREMENT 1: To use this feature, you will have to get a valid API Key from TILTX and create a new VICIdial Settings Container entry with the Container ID of "TILTX_SHAKEN_API_KEY", and place only the TILTX API key into the Container Entry.

REQUIREMENT 2: You will need to have the VICIdial svn/trunk revision 3449 or higher installed on all servers in your VICIdial cluster.

REQUIREMENT 3: You will need to put a similar dialplan entry into your Carrier Dialplan BEFORE the line where the call is placed out through your carrier:
			exten => _91NXXNXXXXXX,n,AGI(/var/lib/asterisk/agi-bin/agi-TILTX_SHAKEN.agi,${EXTEN:-10}-----${CALLERID(num)}-----YES-----)

		NOTE: Here are the configurable CLI flags for the above AGI script:
		  1. Phone number being called (USE DIALPLAN VARIABLE like '${EXTEN:-10}')
		  2. CallerID number being sent with call (USE DIALPLAN VARIABLE like '${CALLERID(num)}')
		  3. (YES/NO) whether to speak error messages or not, default 'NO'
		  4. Settings Container ID(override) to use for TILTX API settings, default 'TILTX_SHAKEN_API_KEY' if empty


New VICIdial statuses used: (if you are these subscribed to TILTX services)
ADCCAR - Disconnect Carrier-Defined
DNCCAR - DNC Carrier-Defined




Advanced Options:

You can override the hard-coded TILTX Call Shaper API "https://api.shaper.tiltx.com/Calls/shaper" by adding a second line to the Settings Container that looks like the following:

URL=>https://api.shaper.tiltx.com/Calls/shaper



Advanced Debug:

To see that the SIP Headers are being set properly, add the following line to your dialplan(extensions.conf after the 8368 "Playback" line), then reload your Asterisk dialplan and place a test call through the campaign detail screen:

exten => 8368,n,Verbose("X-CIDNAME:${SIP_HEADER(X-CIDNAME)}, X-TILTX-ID:${SIP_HEADER(X-TILTX-ID)}, Identity:${SIP_HEADER(Identity)}, CAID:${SIP_HEADER(CAID)}")

How do I get an API key for this?

That’s easy, send an email over to 007@tiltx.com and they will set you up.

Introduction to STIR/SHAKEN Webinar

STIR/SHAKEN

Introduction to STIR/SHAKEN Webinar

We will be holding a webinar on Thursday June 17th with special guest from the pioneers in STIR/SHAKEN technology from www.tiltx.com and Matt Florell from the ViciDial Group. -:- The live event link will be shared the day of the webinar. Please stay tuned for more info.

To be prepared for todays webinar, please reference this post: https://dialer.one/how-to-integrate-stir-shaken-into-vicidial/

Here is the link for the recording from the webinar: The password to watch it is: v97z$O9C

https://us02web.zoom.us/rec/play/DYKyCFGMn3A23DOaKuUG5DrbF9LcuEK3uuckDeiZTpVS46BhapyY6N8zF36vxTHyMqs7d0mN6GUHQHIa.wDqVOeE-5fM28kjt

Thank you all for attending and I hope to see your calls becoming compliant with this new technology and have a great rest of the year in your business ventures!

-Chris aka carpenox

How to – Scratch install Vicidial on CentOS 8

How to – Scratch install Vicidial on CentOS 8

This article will go over how to do a scratch install for Vicidial on CentOS 8. The majority of this was mapped out by Steve @ GenXoutsourcing. Thanks Steve

UPDATE: 6/13/21 -:- Special thanks to arx001 from the Vicidial Group Forums for helping me debug these instructions.

scratch install vicidial centos
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config

Set Default Editor to nano:
yum -y install nano

nano /etc/bashrc

Then add this line at the bottom:
export EDITOR="nano"

timedatectl set-timezone America/New_York


rc.local not work:

chmod +x /etc/rc.d/rc.local
systemctl enable rc-local
systemctl start rc-local
systemctl status rc-local

yum check-update
yum -y install epel-release
reboot

yum update -y
reboot

yum groupinstall "Development Tools" -y

reboot

yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
yum -y install http://rpms.remirepo.net/enterprise/remi-release-8.rpm
yum -y install yum-utils
dnf module enable php:remi-7.4


sudo dnf install -y mariadb-server

sudo dnf -y install dnf-plugins-core
sudo dnf config-manager --set-enabled powertools


yum install -y php php-mcrypt php-cli php-gd php-curl php-mysql php-ldap php-zip php-fileinfo php-opcache wget unzip make patch gcc gcc-c++ subversion php php-devel php-gd gd-devel readline-devel php-mbstring php-mcrypt php-imap php-ldap php-mysql php-odbc php-pear php-xml php-xmlrpc curl curl-devel perl-libwww-perl ImageMagick libxml2 libxml2-devel httpd libpcap libpcap-devel libnet ncurses ncurses-devel screen kernel* mutt glibc.i686 certbot python3-certbot-apache mod_ssl openssl-devel newt-devel libxml2-devel kernel-devel sqlite-devel libuuid-devel sox sendmail lame-devel htop iftop perl-File-Which php-opcache libss7 mariadb-devel libss7* libopen* 

systemctl start mariadb
mysql_secure_installation
systemctl enable mariadb

systemctl stop mariadb
cp /etc/my.cnf /etc/my.cnf.original
echo "" > /etc/my.cnf

nano /etc/my.cnf ; copy the below config to this file.

####################################################################################################

[mysql.server]
user = mysql
#basedir = /var/lib

[client]
port = 3306
socket = /var/lib/mysql/mysql.sock

[mysqld]
datadir = /var/lib/mysql
#tmpdir = /home/mysql_tmp
socket = /var/lib/mysql/mysql.sock
user = mysql
old_passwords = 0
ft_min_word_len = 3
max_connections = 800
max_allowed_packet = 32M
skip-external-locking
sql_mode="NO_ENGINE_SUBSTITUTION"

log-error = /var/log/mysqld/mysqld.log

query-cache-type = 1
query-cache-size = 32M

long_query_time = 1
#slow_query_log = 1
#slow_query_log_file = /var/log/mysqld/slow-queries.log

tmp_table_size = 128M
table_cache = 1024

join_buffer_size = 1M
key_buffer = 512M
sort_buffer_size = 6M
read_buffer_size = 4M
read_rnd_buffer_size = 16M
myisam_sort_buffer_size = 64M

max_tmp_tables = 64

thread_cache_size = 8
thread_concurrency = 8

# If using replication, uncomment log-bin below
#log-bin = mysql-bin

[mysqldump]
quick
max_allowed_packet = 16M

[mysql]
no-auto-rehash

[isamchk]
key_buffer = 256M
sort_buffer_size = 256M
read_buffer = 2M
write_buffer = 2M

[myisamchk]
key_buffer = 256M
sort_buffer_size = 256M
read_buffer = 2M
write_buffer = 2M

[mysqlhotcopy]
interactive-timeout

[mysqld_safe]
#log-error = /var/log/mysqld/mysqld.log
#pid-file = /var/run/mysqld/mysqld.pid

####################################################################################################


mkdir /var/log/mysqld
touch /var/log/mysqld/slow-queries.log
chown -R mysql:mysql /var/log/mysqld
systemctl restart mariadb

####################################################################################################


Install the Perl Modules
yum install -y perl-CPAN perl-YAML perl-libwww-perl perl-DBI perl-DBD-MySQL perl-GD perl-Env perl-Term-ReadLine-Gnu perl-SelfLoader perl-open.noarch

cpan -i Tk String::CRC Tk::TableMatrix Net::Address::IP::Local Term::ReadLine::Gnu Spreadsheet::Read Net::Address::IPv4::Local RPM::Specfile Spreadsheet::XLSX Spreadsheet::ReadSXC MD5 Digest::MD5 Digest::SHA1 Bundle::CPAN Pod::Usage Getopt::Long DBI DBD::mysql Net::Telnet Time::HiRes Net::Server Mail::Sendmail Unicode::Map Jcode Spreadsheet::WriteExcel OLE::Storage_Lite Proc::ProcessTable IO::Scalar Scalar::Util Spreadsheet::ParseExcel Archive::Zip Compress::Raw::Zlib Spreadsheet::XLSX Test::Tester Spreadsheet::ReadSXC Text::CSV Test::NoWarnings Text::CSV_PP File::Temp Text::CSV_XS Spreadsheet::Read LWP::UserAgent HTML::Entities HTML::Strip HTML::FormatText HTML::TreeBuilder Switch Time::Local Mail::POP3Client Mail::IMAPClient Mail::Message IO::Socket::SSL readline

cd /usr/bin/
curl -LOk http://xrl.us/cpanm
chmod +x cpanm


cpanm -f File::HomeDir
cpanm -f File::Which
cpanm CPAN::Meta::Requirements
cpanm -f CPAN
cpanm YAML
cpanm MD5
cpanm Digest::MD5
cpanm Digest::SHA1
cpanm readline


cpanm Bundle::CPAN
cpanm DBI
cpanm -f DBD::mysql
cpanm Net::Telnet
cpanm Time::HiRes
cpanm Net::Server
cpanm Switch
cpanm Mail::Sendmail
cpanm Unicode::Map
cpanm Jcode
cpanm Spreadsheet::WriteExcel
cpanm OLE::Storage_Lite
cpanm Proc::ProcessTable
cpanm IO::Scalar
cpanm Spreadsheet::ParseExcel
cpanm Curses
cpanm Getopt::Long
cpanm Net::Domain
cpanm Term::ReadKey
cpanm Term::ANSIColor
cpanm Spreadsheet::XLSX
cpanm Spreadsheet::Read
cpanm LWP::UserAgent
cpanm HTML::Entities
cpanm HTML::Strip
cpanm HTML::FormatText
cpanm HTML::TreeBuilder
cpanm Time::Local
cpanm MIME::Decoder
cpanm Mail::POP3Client
cpanm Mail::IMAPClient
cpanm Mail::Message
cpanm IO::Socket::SSL
cpanm MIME::Base64
cpanm MIME::QuotedPrint
cpanm Crypt::Eksblowfish::Bcrypt
cpanm Crypt::RC4
cpanm Text::CSV
cpanm Text::CSV_XS

####################################################################################################


cd /usr/src
wget http://download.vicidial.com/required-apps/asterisk-perl-0.08.tar.gz
tar xzf asterisk-perl-0.08.tar.gz
cd asterisk-perl-0.08
perl Makefile.PL
make all
make install 

dnf --enablerepo=powertools install libsrtp-devel -y
yum install -y elfutils-libelf-devel libedit-devel

cd /usr/src
wget http://downloads.sourceforge.net/project/lame/lame/3.99/lame-3.99.5.tar.gz
tar -zxf lame-3.99.5.tar.gz
cd lame-3.99.5
./configure
make
make install

cd /usr/src/
wget https://digip.org/jansson/releases/jansson-2.13.tar.gz
tar xvzf jansson*
cd jansson-2.13
./configure
make clean
make
make install 
ldconfig

UPDATE: 6/22/21 - Ty @Ankit for catching the wrong directiory below 

cd /usr/src/
wget https://downloads.asterisk.org/pub/telephony/dahdi-linux-complete/dahdi-linux-complete-current.tar.gz
tar xzf dahdi*
cd /usr/src/dahdi-linux-complete-3.1.0+3.1.0/
nano /usr/src/dahdi-linux-complete-3.1.0+3.1.0/linux/include/dahdi/kernel.h
remove #include: </linux/pci-aspm.h>
make
make install
make install-config
(if you get an error here about 4.18.0-305.7.1.el8_4.x86_64 missing then do "yum install *4.18.0-305.7.1.el8_4.x86_64")

yum install dahdi-tools-libs

cd tools
make clean
make
make install
make install-config

if it gives an error /usr/sbin/dahdi_cfg -vvvvvvvvvvvvv 
edit the file "system.conf.sample" in "system.conf"


cd /usr/src/
wget http://downloads.asterisk.org/pub/telephony/libpri/libpri-1.6.0.tar.gz
tar xzf libpri-1.6.0.tar.gz
cd /usr/src/libpri-1.6.0
make clean
make
make install

nano  /etc/php.ini
error_reporting  =  E_ALL & ~E_NOTICE
memory_limit = 128M
short_open_tag = On
max_execution_time = 330
max_input_time = 360
post_max_size = 100M
upload_max_filesize = 42M
default_socket_timeout = 360
date.timezone = Europe/Rome

cd /usr/src/
wget http://download.vicidial.com/required-apps/asterisk-13.29.2-vici.tar.gz
tar xzf asterisk-13.29.2-vici.tar.gz
cd /usr/src/asterisk-13.29.2/
./configure --libdir=/usr/lib64 --with-pjproject-bundled -with-jansson-bundled
make clean
make menuselect    ; ####### select chan_meetme 
make
make install
make samples
make config


mkdir /usr/src/astguiclient
cd /usr/src/astguiclient
svn checkout svn://svn.eflo.net:3690/agc_2-X/trunk


mysql
SET GLOBAL connect_timeout=60;
CREATE DATABASE `asterisk` DEFAULT CHARACTER SET utf8 COLLATE utf8_unicode_ci;
CREATE USER 'cron'@'localhost' IDENTIFIED BY '1234';
GRANT SELECT,INSERT,UPDATE,DELETE,LOCK TABLES on asterisk.* TO cron@'%' IDENTIFIED BY '1234';
CREATE USER 'custom'@'localhost' IDENTIFIED BY 'custom1234';
GRANT SELECT,INSERT,UPDATE,DELETE,LOCK TABLES on asterisk.* TO custom@'%' IDENTIFIED BY 'custom1234';
GRANT SELECT,INSERT,UPDATE,DELETE,LOCK TABLES on asterisk.* TO cron@localhost IDENTIFIED BY '1234';
GRANT SELECT,INSERT,UPDATE,DELETE,LOCK TABLES on asterisk.* TO custom@localhost IDENTIFIED BY 'custom1234';
GRANT RELOAD ON *.* TO cron@'%';
GRANT RELOAD ON *.* TO cron@localhost;
GRANT RELOAD ON *.* TO custom@'%';
GRANT RELOAD ON *.* TO custom@localhost;
flush privileges;
use asterisk;
\. /usr/src/astguiclient/trunk/extras/MySQL_AST_CREATE_tables.sql
\. /usr/src/astguiclient/trunk/extras/first_server_install.sql
ALTER TABLE phones ALTER template_id SET DEFAULT '';
\. /usr/src/astguiclient/trunk/extras/sip-iax_phones.sql
quit

cd /usr/src/astguiclient/trunk
mkdir /usr/share/astguiclient
mkdir /var/log/astguiclient
mkdir /var/spool/asterisk/monitorDONE
perl install.pl

 Copy Asterisk Settings=Yes + Server webroot path=/var/www/html

####################################################################################################


/usr/share/astguiclient/ADMIN_area_code_populate.pl
/usr/share/astguiclient/ADMIN_update_server_ip.pl --old-server_ip=10.10.10.15

####################################################################################################


nano /etc/rc.local

### paste this below: 

#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.

touch /var/lock/subsys/local

# OPTIONAL enable ip_relay(for same-machine trunking and blind monitoring)
/usr/share/astguiclient/ip_relay/relay_control start 2>/dev/null 1>&2

# Disable console blanking and powersaving
/usr/bin/setterm -blank
/usr/bin/setterm -powersave off
/usr/bin/setterm -powerdown

### start up the MySQL server
systemctl restart mariadb.service

### start up the apache web server
systemctl restart apache2

### roll the Asterisk logs upon reboot
/usr/share/astguiclient/ADMIN_restart_roll_logs.pl

### clear the server-related records from the database
/usr/share/astguiclient/AST_reset_mysql_vars.pl

### load dahdi drivers
modprobe dahdi
/usr/sbin/dahdi_cfg -vvvvvvvvvvvvv

### sleep for 20 seconds before launching Asterisk
sleep 20

### start up asterisk
/usr/share/astguiclient/start_asterisk_boot.pl


####################################################################################################

crontab -e

### paste below:

### recording mixing/compressing/ftping scripts
#0,3,6,9,12,15,18,21,24,27,30,33,36,39,42,45,48,51,54,57 * * * * /usr/share/astguiclient/AST_CRON_audio_1_move_mix.pl
0,3,6,9,12,15,18,21,24,27,30,33,36,39,42,45,48,51,54,57 * * * * /usr/share/astguiclient/AST_CRON_audio_1_move_mix.pl --MIX
0,3,6,9,12,15,18,21,24,27,30,33,36,39,42,45,48,51,54,57 * * * * /usr/share/astguiclient/AST_CRON_audio_1_move_VDonly.pl
1,4,7,10,13,16,19,22,25,28,31,34,37,40,43,46,49,52,55,58 * * * * /usr/share/astguiclient/AST_CRON_audio_2_compress.pl --GSM
#2,5,8,11,14,17,20,23,26,29,32,35,38,41,44,47,50,53,56,59 * * * * /usr/share/astguiclient/AST_CRON_audio_3_ftp.pl --GSM

### keepalive script for astguiclient processes
* * * * * /usr/share/astguiclient/ADMIN_keepalive_ALL.pl --cu3way

### kill Hangup script for Asterisk updaters
* * * * * /usr/share/astguiclient/AST_manager_kill_hung_congested.pl

### updater for voicemail
* * * * * /usr/share/astguiclient/AST_vm_update.pl

### updater for conference validator
* * * * * /usr/share/astguiclient/AST_conf_update.pl

### flush queue DB table every hour for entries older than 1 hour
11 * * * * /usr/share/astguiclient/AST_flush_DBqueue.pl -q

### fix the vicidial_agent_log once every hour and the full day run at night
33 * * * * /usr/share/astguiclient/AST_cleanup_agent_log.pl
50 0 * * * /usr/share/astguiclient/AST_cleanup_agent_log.pl --last-24hours
## uncomment below if using QueueMetrics
#*/5 * * * * /usr/share/astguiclient/AST_cleanup_agent_log.pl --only-qm-live-call-check

## uncomment below if using Vtiger
#1 1 * * * /usr/share/astguiclient/Vtiger_optimize_all_tables.pl --quiet

### updater for VICIDIAL hopper
* * * * * /usr/share/astguiclient/AST_VDhopper.pl -q

### adjust the GMT offset for the leads in the vicidial_list table
1 1,7 * * * /usr/share/astguiclient/ADMIN_adjust_GMTnow_on_leads.pl --debug

### reset several temporary-info tables in the database
2 1 * * * /usr/share/astguiclient/AST_reset_mysql_vars.pl

### optimize the database tables within the asterisk database
3 1 * * * /usr/share/astguiclient/AST_DB_optimize.pl

## adjust time on the server with ntp
30 * * * * /usr/sbin/ntpdate -u pool.ntp.org 2>/dev/null 1>&2

### VICIDIAL agent time log weekly and daily summary report generation
2 0 * * 0 /usr/share/astguiclient/AST_agent_week.pl
22 0 * * * /usr/share/astguiclient/AST_agent_day.pl

### VICIDIAL campaign export scripts (OPTIONAL)
#32 0 * * * /usr/share/astguiclient/AST_VDsales_export.pl
#42 0 * * * /usr/share/astguiclient/AST_sourceID_summary_export.pl

### remove old recordings more than 7 days old
#24 0 * * * /usr/bin/find /var/spool/asterisk/monitorDONE -maxdepth 2 -type f -mtime +7 -print | xargs rm -f

### roll logs monthly on high-volume dialing systems
#30 1 1 * * /usr/share/astguiclient/ADMIN_archive_log_tables.pl

### remove old vicidial logs and asterisk logs more than 2 days old
28 0 * * * /usr/bin/find /var/log/astguiclient -maxdepth 1 -type f -mtime +2 -print | xargs rm -f
29 0 * * * /usr/bin/find /var/log/asterisk -maxdepth 3 -type f -mtime +2 -print | xargs rm -f
30 0 * * * /usr/bin/find / -maxdepth 1 -name "screenlog.0*" -mtime +4 -print | xargs rm -f

### cleanup of the scheduled callback records
25 0 * * * /usr/share/astguiclient/AST_DB_dead_cb_purge.pl --purge-non-cb -q

### GMT adjust script - uncomment to enable
#45 0 * * * /usr/share/astguiclient/ADMIN_adjust_GMTnow_on_leads.pl --list-settings

### Dialer Inventory Report
1 7 * * * /usr/share/astguiclient/AST_dialer_inventory_snapshot.pl -q --override-24hours

### inbound email parser
* * * * * /usr/share/astguiclient/AST_inbound_email_parser.pl



################ END PASTE HERE ####################


nano /etc/httpd/conf/httpd.conf

To disable logging, change:

CustomLog logs/access_log combined
        to this:
CustomLog /dev/null common

################

nano /etc/httpd/conf.d/record.conf

Alias /RECORDINGS/ "/var/spool/asterisk/monitorDONE/"

<Directory "/var/spool/asterisk/monitorDONE">
    Options Indexes MultiViews
    AllowOverride None
    Order allow,deny
    Allow from all
    Require all granted 
        <files *.mp3>
            Forcetype application/forcedownload
        </files>
</Directory>


################


for synchronization problems:

yourserverip/vicidial/admin.php
go to  Admin-> Servers-> update Asterisk Version: 13.29.2-vici
Or if you prefer the video version, watch our friend Harolds youtube

How to – Upgrade OpenSuSE from Leap 15.1 to 15.2 or 15.3

How to – Upgrade OpenSuSE from Leap 15.1 to 15.2 or 15.3

How to – Upgrade OpenSuSE from Leap 15.1 to 15.2 or 15.3 is what will be covered in this brief tutorial. Just change the 15.2 to 15.3 in any of the steps below to switch to 15.3 instead.

Step 1 – Preparing for upgrade by enabling the proper repository

zypper modifyrepo --enable openSUSE-Leap-15.1-Update
zypper ref
zypper up
vicibox9

Step 2 – Change existing repo’s for the others

This next part will change the repo’s to 15.2 and then we will start the fun part.

files="$(zypper lr -u | awk -F'|' '$4 ~ /Yes/ { gsub (" ", "", $2); r="/etc/zypp/repos.d/"$2".repo"; print r }')"
for f in $files
do
  echo "Backup of $f saved to /root/ before patching it up ..."
  cp -f "$f" /root/
  sed -i 's+/leap/15.1+/leap/$releasever+' "$f"
  sed -i 's+15.1.1+15.2+' "$f"
  sed -i 's+15.1+15.2+' "$f"
done

Step 3 – Update and reboot

zypper --releasever=15.2 ref
zypper --releasever=15.2 dup
reboot
vixibox9

If you have any problems, just comment here and I will help you out the best I can or you can drop by our Skype Group chat: https://join.skype.com/ujkQ7i5lV78O . Hope this helps a lot of you out there.

upgrade opensuse

]Make sure you copy mod_php7.conf to php7.confor the dynportal and audiostore conf files will cause apache to have errors. You can do so with the following command:

cp /etc/apache2/conf.d/mod_php7.conf /etc/apache2/conf.d/php7.conf

I hope this helps.

-Nox

How to – Secure Vicidial, correctly. Part 1

secure vicidial

How to – Secure Vicidial, correctly. Part 1

This article will show you how to secure Vicidial server correctly. This is definitely one of the topics, that I am asked about the most, so with that being said, this will be a multipart series with different “layers” of security from the basic way you need to secure your system in todays remote world, and as advanced as encrypted passwords, recordings, two factor authentication and more.

secure vicidial
Securing Vicidial

The steps I will cover in this article, will be the steps to take once you have finished installing a fresh Vicidial server. It will cover a single server setup, not a cluster which requires some additional steps to be shown later on in this series. This article will also presume you are setting this up for remote access, not just local. Let’s get started.


Secure Vicidial

Step 1 – Setup access through YAST firewall.

At the Linux CLI, type “yast firewall” and the following screen will pop up:

secure vicidial

Go down to “Interfaces” and select your NIC card that has WAN access and change the zone from default to public:

Change default zone to public

Then TAB over to the public zone and remove all entries but apache2-ssl and ssh, then add viciportal-ssl.

Public Zone services to allow

Finally, add these services to your “Trusted” zone and TAB over to [Accept] and press enter.

Trusted Zone services to allow

This completes the first step for securing your Vicidial server’s firewall access.


Step 2 – Granting access for Dynamic portal & IP whitelist access only through the VB-firewall crontab entry

The next thing you need to do is change the crontab entry from blacklist being blocked to whitelist and dynamic access only. To do so, type “crontab -e” at your Linux CLI and you should see the following:

crontab -e

“Page down” until you see the VB-firewall entries near the bottom and change them as you see below:

Make the changes you see above and press cntl+X to save and follow the prompts to save it.

Ok, so these steps above will prepare your server for the next steps of this process which I have written in other articles already, but I will link them here for easy navigation.


Step 3 – Enabling IP Whitelist

You can follow my blog post about IP whitelist, here.


Step 4 – Setting up the dynamic portal

You can follow the article for these instructions, here.

Dynportal
Dynportal

Well, that’s it for part 1, you have now setup your system for secure remote access to your server through IP whitelist & dynamic portal only. As always, feel free to comment below with any questions or issues you have along the way. My team and I are always available to help our Vicidial community secure themselves against the threats todays world comes with such as BazarCall malware, Ryuk and Conti Ransomwares and other cyber threats that directly target the telecommunications industry. Please protect yourself accordingly, if you need help with this, please fill out the form below for a FREE security audit or if you need some technical assistance on your servers.



Well, that’s it from us here at CyburDial for today, but please stay tuned for Part 2 of this series which will cover adding in other servers for a cluster type environment and how to allow access only to certain services on each server that are needed for communication between the cluster such as MySQL.

I hope this helps.

-Nox

How to – Scratch install instructions for Vicidial on OpenSuSE Leap 15.3 with Asterisk 16.17.0

Install Asterisk 16 on Vicidial

How to – Scratch install instructions for Vicidial on OpenSuSE Leap 15.3 with Asterisk 16.17.0

So, I have decided to write up a scratch install instructions for Vicidial on OpenSuSE Leap 15.3 with Asterisk 16.17-0 instead of Asterisk 13 and wanted to share the instructions step by step. I have not tested this yet.

zypper ar http://download.opensuse.org/distribution/leap/15.3/repo/oss/ openSUSE-Leap-15.3-Oss
zypper ar http://download.opensuse.org/repositories/devel:/languages:/perl/openSUSE_Leap_15.3/ openSUSE-Leap-15.3-PERL
zypper ar http://download.opensuse.org/repositories/server:/php:/applications/openSUSE_Leap_15.3/ openSUSE-Leap-15.3-PHP-Applications
zypper ar http://download.opensuse.org/update/leap/15.3/oss/ openSUSE-Leap-15.3-Update
zypper ar https://download.opensuse.org/repositories/home:vicidial:asterisk-13/openSUSE_Leap_15.3/home:vicidial:asterisk-13.repo
zypper ar https://download.opensuse.org/repositories/home:/vicidial/openSUSE_Leap_15.3/home:vicidial.repo
zypper ar https://download.opensuse.org/repositories/home:/vicidial:/vicibox/openSUSE_Leap_15.3/home:vicidial:vicibox.repo
zypper ar https://download.opensuse.org/repositories/home:/zippy:/jx:/packages-ready/openSUSE_Leap_15.3/ home_zippy_jx_packages-ready
zypper addrepo https://download.opensuse.org/repositories/devel:languages:python:Factory/openSUSE_Leap_15.3/devel:languages:python:Factory.repo



zypper ref
zypper up
zypper in dahdi*
zypper in libpri*
zypper in libedit*
zypper in net-snmp*
zypper in libjansson4*

zypper install sqlite3-devel mariadb-server mariadb make patch gcc gcc-c++ subversion php php-devel php-gd gd-devel php-mbstring php-mcrypt php-imap php-ldap php-mysql php-odbc php-pear php-xml php-xmlrpc curl curl-devel perl-libwww-perl ImageMagick libxml2 libxml2-devel httpd libpcap libpcap-devel libnet ncurses ncurses-devel screen mysql-devel ntp mutt wget nano unzip sipsak sox libuuid-devel httpd php-common php-pdo mod_ssl perl-DBI perl-DBD-MySQL perl-Digest-HMAC perl-YAML perl-ExtUtils-ParseXS perl-NetAddr-IP perl-Crypt-SSLeay perl-Curses perl-DBD-Pg perl-Module-ScanDeps perl-Text-CSV perl-HTML-Template perl-IO-Compress perl-Text-Glob perl-Jcode perl-Test-Script perl-Archive-Tar perl-Test-Base perl-OLE-Storage_Lite perl-Archive-Zip perl-Net-Server perl-Convert-ASN1 perl perl-Compress-Raw-Zlib perl-Digest-SHA1 perl-Data-Dumper perl-Error perl-ExtUtils-CBuilder perl-Test-Tester perl-Parse-RecDescent perl-Spiffy perl-IO-Zlib perl-Module-Build perl-HTML-Parser perl-Net-SSLeay perl-Proc-ProcessTable perl-TermReadKey perl-Term-ReadLine-Gnu perl-Digest-SHA perl-Tk perl-Net-SNMP perl-Test-NoWarnings perl-XML-Writer perl-Proc-PID-File perl-Compress-Raw-Bzip2 perl-libwww-perl perl-XML-Parser perl-File-Remove perl-Parse-CPAN-Meta perl-Set-Scalar perl-Probe-Perl perl-File-Which perl-Package-Constants perl-Module-Install perl-File-HomeDir perl-Spreadsheet-ParseExcel perl-Mail-Sendmail perl-Spreadsheet-XLSX asterisk-perl perl-version perl-Crypt-DES perl-URI perl-Net-Daemon perl-IO-stringy perl-YAML-Tiny perl-HTML-Tagset perl-Socket6 perl-BSD-Resource perl-IPC-Run3 perl-Text-CSV_XS perl-Unicode-Map perl-Net-Telnet perl-PAR-Dist perl-Date-Manip perl-JSON perl-rrdtool lame screen iftop htop perl-GD gcc gcc-c++- bzip2 make libjansson-devel dahdi-linux-devel libxml2-tools libxml2-2 libxml2-devel libuuid-devel sqlite3-devel



perl -MCPAN -e 'my $c = "CPAN::HandleConfig"; $c->load(doit => 1, autoconfig => 1); $c->edit(prerequisites_policy => "follow"); $c->edit(build_requires_install_policy => "yes"); $c->commit'

cpan -i String::CRC Tk::TableMatrix Net::Address::IP::Local Term::ReadLine::Gnu Spreadsheet::Read Net::Address::IPv4::Local RPM::Specfile Spreadsheet::XLSX Spreadsheet::ReadSXC MD5 Digest::MD5 Digest::SHA1 Bundle::CPAN Pod::Usage Getopt::Long DBI DBD::mysql Net::Telnet Time::HiRes Net::Server Mail::Sendmail Unicode::Map Jcode Spreadsheet::WriteExcel OLE::Storage_Lite Proc::ProcessTable IO::Scalar Scalar::Util Spreadsheet::ParseExcel Archive::Zip Compress::Raw::Zlib Spreadsheet::XLSX Test::Tester Spreadsheet::ReadSXC Text::CSV Test::NoWarnings Text::CSV_PP File::Temp Text::CSV_XS Spreadsheet::Read LWP::UserAgent HTML::Entities HTML::Strip HTML::FormatText HTML::TreeBuilder Switch Time::Local MIME::POP3Client Mail::IMAPClient Mail::Message IO::Socket::SSL readline 

cd /usr/bin/
curl -LOk http://xrl.us/cpanm
chmod +x cpanm
cpanm -f File::Which
cpanm -f File::HomeDir
cpanm CPAN::Meta::Requirements
cpanm -f CPAN
cpanm -f DBD::mysql
cpanm User::Identity --force
cpanm YAML MD5 Digest::MD5 Digest::SHA1 Curses Getopt::Long Net::Domain Term::ReadKey Term::ANSIColor HTML::FormatText MIME::Decoder Mail::POP3Client Mail::Message Crypt::Eksblowfish::Bcrypt

### Make Swap ###
mkdir -p /var/lib/swap
dd if=/dev/zero of=/var/lib/swap/swapfile bs=4G count=4096
mkswap /var/lib/swap/swapfile
swapon /var/lib/swap/swapfile
cat /proc/swaps
nano /etc/fstab
paste this: /var/lib/swap/swapfile swap swap defaults 0 0
save and exit

### Create DB & Cron user
mysql
CREATE DATABASE `asterisk` DEFAULT CHARACTER SET utf8 COLLATE utf8_unicode_ci;
CREATE USER 'cron'@'localhost' IDENTIFIED BY '1234';
GRANT SELECT,INSERT,UPDATE,DELETE,LOCK TABLES on asterisk.* TO cron@'%' IDENTIFIED BY '1234';
GRANT SELECT,INSERT,UPDATE,DELETE,LOCK TABLES on asterisk.* TO cron@localhost IDENTIFIED BY '1234';
GRANT RELOAD ON *.* TO cron@'%';
GRANT RELOAD ON *.* TO cron@localhost;
flush privileges;
exit

### Install Asterisk 16 ###
mkdir /usr/src/asterisk
wget http://download.vicidial.com/beta-apps/asterisk-16.17.0-vici.tar.gz
tar -xzvf asterisk-16.17.0-vici.tar.gz
./configure --libdir=/usr/lib64 --with-pjproject-bundled -with-jansson-bundled
rm menuselect.makeopts
make menuselect*
**** Go down one to applications and hit enter, go down until you find the "meetme" app and press space bar, then hit "X" ****
make && make install && make samples && make config && make basic-pbx
/usr/share/astguiclient/start_asterisk_boot.pl

mkdir /usr/src/astguiclient
cd /usr/src/astguiclient
svn checkout svn://svn.eflo.net:3690/agc_2-X/trunk

mysql
SET GLOBAL connect_timeout=60;
use asterisk;
\. /usr/src/astguiclient/trunk/extras/MySQL_AST_CREATE_tables.sql
\. /usr/src/astguiclient/trunk/extras/first_server_install.sql
ALTER TABLE phones ALTER template_id SET DEFAULT '';
\. /usr/src/astguiclient/trunk/extras/sip-iax_phones.sql
quit

/usr/src/astguiclient/trunk/install.pl
/usr/share/astguiclient/ADMIN_area_code_populate.pl
/usr/src/astguiclient/trunk/bin/ADMIN_update_server_ip.pl

nano /etc/rc.local

### paste this below: 

#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.

touch /var/lock/subsys/local

# OPTIONAL enable ip_relay(for same-machine trunking and blind monitoring)
/usr/share/astguiclient/ip_relay/relay_control start 2>/dev/null 1>&2

# Disable console blanking and powersaving
/usr/bin/setterm -blank
/usr/bin/setterm -powersave off
/usr/bin/setterm -powerdown

### start up the MySQL server
systemctl start mariadb.service
systemctl enable mariadb.service

### start up the apache web server
systemctl start apache2
systemctl enable apache2

### roll the Asterisk logs upon reboot
/usr/share/astguiclient/ADMIN_restart_roll_logs.pl

### clear the server-related records from the database
/usr/share/astguiclient/AST_reset_mysql_vars.pl

### load dahdi drivers
modprobe dahdi
/usr/sbin/dahdi_cfg -vvvvvvvvvvvvv

### sleep for 20 seconds before launching Asterisk
sleep 20

### start up asterisk
/usr/share/astguiclient/start_asterisk_boot.pl


############## END PASTE HERE ##################


crontab -e

### paste below:

### recording mixing/compressing/ftping scripts
#0,3,6,9,12,15,18,21,24,27,30,33,36,39,42,45,48,51,54,57 * * * * /usr/share/astguiclient/AST_CRON_audio_1_move_mix.pl
0,3,6,9,12,15,18,21,24,27,30,33,36,39,42,45,48,51,54,57 * * * * /usr/share/astguiclient/AST_CRON_audio_1_move_mix.pl --MIX
0,3,6,9,12,15,18,21,24,27,30,33,36,39,42,45,48,51,54,57 * * * * /usr/share/astguiclient/AST_CRON_audio_1_move_VDonly.pl
1,4,7,10,13,16,19,22,25,28,31,34,37,40,43,46,49,52,55,58 * * * * /usr/share/astguiclient/AST_CRON_audio_2_compress.pl --GSM
#2,5,8,11,14,17,20,23,26,29,32,35,38,41,44,47,50,53,56,59 * * * * /usr/share/astguiclient/AST_CRON_audio_3_ftp.pl --GSM

### keepalive script for astguiclient processes
* * * * * /usr/share/astguiclient/ADMIN_keepalive_ALL.pl --cu3way

### kill Hangup script for Asterisk updaters
* * * * * /usr/share/astguiclient/AST_manager_kill_hung_congested.pl

### updater for voicemail
* * * * * /usr/share/astguiclient/AST_vm_update.pl

### updater for conference validator
* * * * * /usr/share/astguiclient/AST_conf_update.pl

### flush queue DB table every hour for entries older than 1 hour
11 * * * * /usr/share/astguiclient/AST_flush_DBqueue.pl -q

### fix the vicidial_agent_log once every hour and the full day run at night
33 * * * * /usr/share/astguiclient/AST_cleanup_agent_log.pl
50 0 * * * /usr/share/astguiclient/AST_cleanup_agent_log.pl --last-24hours
## uncomment below if using QueueMetrics
#*/5 * * * * /usr/share/astguiclient/AST_cleanup_agent_log.pl --only-qm-live-call-check

## uncomment below if using Vtiger
#1 1 * * * /usr/share/astguiclient/Vtiger_optimize_all_tables.pl --quiet

### updater for VICIDIAL hopper
* * * * * /usr/share/astguiclient/AST_VDhopper.pl -q

### adjust the GMT offset for the leads in the vicidial_list table
1 1,7 * * * /usr/share/astguiclient/ADMIN_adjust_GMTnow_on_leads.pl --debug

### reset several temporary-info tables in the database
2 1 * * * /usr/share/astguiclient/AST_reset_mysql_vars.pl

### optimize the database tables within the asterisk database
3 1 * * * /usr/share/astguiclient/AST_DB_optimize.pl

## adjust time on the server with ntp
30 * * * * /usr/sbin/ntpdate -u pool.ntp.org 2>/dev/null 1>&2

### VICIDIAL agent time log weekly and daily summary report generation
2 0 * * 0 /usr/share/astguiclient/AST_agent_week.pl
22 0 * * * /usr/share/astguiclient/AST_agent_day.pl

### VICIDIAL campaign export scripts (OPTIONAL)
#32 0 * * * /usr/share/astguiclient/AST_VDsales_export.pl
#42 0 * * * /usr/share/astguiclient/AST_sourceID_summary_export.pl

### remove old recordings more than 7 days old
#24 0 * * * /usr/bin/find /var/spool/asterisk/monitorDONE -maxdepth 2 -type f -mtime +7 -print | xargs rm -f

### roll logs monthly on high-volume dialing systems
#30 1 1 * * /usr/share/astguiclient/ADMIN_archive_log_tables.pl

### remove old vicidial logs and asterisk logs more than 2 days old
28 0 * * * /usr/bin/find /var/log/astguiclient -maxdepth 1 -type f -mtime +2 -print | xargs rm -f
29 0 * * * /usr/bin/find /var/log/asterisk -maxdepth 3 -type f -mtime +2 -print | xargs rm -f
30 0 * * * /usr/bin/find / -maxdepth 1 -name "screenlog.0*" -mtime +4 -print | xargs rm -f

### cleanup of the scheduled callback records
25 0 * * * /usr/share/astguiclient/AST_DB_dead_cb_purge.pl --purge-non-cb -q

### GMT adjust script - uncomment to enable
#45 0 * * * /usr/share/astguiclient/ADMIN_adjust_GMTnow_on_leads.pl --list-settings

### Dialer Inventory Report
1 7 * * * /usr/share/astguiclient/AST_dialer_inventory_snapshot.pl -q --override-24hours

### inbound email parser
* * * * * /usr/share/astguiclient/AST_inbound_email_parser.pl



################ END PASTE HERE ####################

a2enmod ssl
a2enflag SSL

reboot

go to http://127.0.0.1/vicidial/admin.php


Enjoy!!

-CarpeNox

BazarLoader used to deploy Ryuk ransomware on high-value targets

BazarLoader

BazarLoader used to deploy Ryuk ransomware on high-value targets

Trojan Horse malware

The TrickBot gang operators are increasingly targeting high-value targets with the new stealthy BazarLoader trojan before deploying the Ryuk ransomware.

For years, the TrickBot gang has been using their trojan to compromise enterprise networks by downloading different software modules used for specific behavior such as stealing passwordsspreading to other machines, or even stealing a domain’s Active Directory database.

As these modules have become heavily analyzed over time, security solutions have become better at detecting these modules before being utilized.

From TrickBot to BazarLoader

In April 2020, bleepingcomputer reported that the TrickBot gang had started to use a new BazarLoader/BazarBackdoor infection in phishing attacks.

In a new report, Advanced Intel security researchers explain that instead of burning victims with the highly-detected TrickBot trojan, threat actors now favor BazarBackdoor as their tool of choice for high-value enterprise targets.

“BazarBackdoor remains the covert malware relying upon minimal functionality while on the host producing high-value long-term infections due to its simplicity and external operation dependency to exploit more information later.”

“In other words, the BazarBackdoor “blending-in“ simplicity and obfuscation layer allows the payload to be a better choice for high-value targets,” Kremez told BleepingComputer in a conversation about their report.

A BazarLoader compromise starts with a targeted phishing attack, as shown by a phishing email received by BleepingComputer in April.

BazarLoader phishing attack
BazarLoader phishing attack

After infecting a computer, BazarLoader will use process hollowing to inject the BazarBackdoor component into legitimate Windows processes such as cmd.exe, explorer.exe, and svchost.exe. A scheduled task is created to load BazarLoader every time a user logs into the system.

BazarLoader scheduled task
BazarLoader scheduled task

Eventually, BazarBackdoor will deploy a Cobalt Strike beacon, which provides remote access to threat actors who install post-exploitation tools such as BloodHound and Lasagne for mapping a Windows domain and extracting credentials.

Ultimately, the attack leads to threat actors deploying Ryuk ransomware on the entire network and demand massive ransoms.

BazarBackdoor attack flow
BazarBackdoor attack flow
Source: Advanced Intel

Even with this increase in utilization, as BazarBackdoor requires a more significant amount of human-operation, Kremez believes that BazarLoader will be reserved for select targets.

“The downside of hunting with BazarBackdoor is that it requires an expensive exploitation operation to pivot from the infections,” Kremez explained.

For mass-distribution, we should continue to see TrickBot utilized for network compromise.


Check out our FREE security audit to see if you are a victim.

What is BazarCall malware?

BazarCall

What is BazarCall malware?

Answer: Malware targeting VoIP servers. Read on.

For the past two months, security researchers have been waging an online battle against a new ‘BazarCall’ malware that uses call centers to distribute some of the most damaging Windows malware.

The new malware was discovered being distributed by call centers in late January and is named BazarCall, or BazarCall, as the threat actors initially used it to install the BazarLoader malware.

While other malware is now being distributed, researchers continue to identify the distribution campaign as BazarCall.

Like many malware campaigns, BazarCall starts with a phishing email but from there deviates to a novel distribution method – using phone call centers to distribute malicious Excel documents that install malware.

Instead of bundling attachments with the email, BazarCall emails prompt users to call a phone number to cancel a subscription before they are automatically charged. These call centers would then direct users to a specially crafted website to download a “cancellation form” that installs the BazarCall malware.

BazarCall: From phishing emails to call centers

BazarCall attacks all start with a phishing email targeting corporate users that state the recipient’s free trial is about to run out. However, these emails do not provide any details regarding the alleged subscription.

The emails then prompt the user to contact a listed phone number to cancel the subscription before they are charged $69.99 to $89.99 for a renewal, as shown in the example BazarCall phishing email below.

Example BazarCall email
Example BazarCall email

While the bulk of the emails seen by BleepingComputer have been from a fictitious company named “Medical reminder service, Inc.”, the emails have also used other fake company names such as ‘iMed Service, Inc.’, ‘Blue Cart Service, Inc.’, and ‘iMers, Inc.’  

These emails all use similar subjects such as “Thank you for using your free trial” or “Your free trial period is almost over!” Security researcher ExecuteMalware has compiled a more extensive list of email subjects used by this attack.

When a recipient calls the listed phone number, they will be placed on a short hold and then be greeted by a live person. When asked for more information or how to cancel the subscription, the call center agent asks the victim for a unique customer ID enclosed in the email.

Randy Pargman, Vice President of Threat Hunting & Counterintelligence at Binary Defense, told BleepingComputer that this unique customer ID is a core component of the attack and is used by the call center to determine if the caller is a targeted victim.

“They will be able to identify the company that got that email when you give them a valid customer number on the phone. But if you give them a wrong number they will just tell you that they canceled your order and it’s all good without sending you to the website,” Pargman told BleepingComputer in a conversation about BazarCall.

If a correct customer ID is given, the call center agent will direct the user to a fake website that pretends to be the associated medical services company. The phone agent will stay on the phone with the victim and guide them to a cancellation page where they are prompted to enter their customer ID, as shown below.

BazarCall distribution site
BazarCall distribution site
Source: Brad Duncan

When the user enters their customer ID number, the website will automatically prompt the browser to download an Excel document (xls or xlsb). The call center agent will then help the victim open the file and clicking on the ‘Enable Content’ button to enable malicious macros.

In some calls conducted by Pargman, the threat actors instructed him to disable antivirus to prevent the malicious documents from being detected.

Malicious BazarCall Excel document
Malicious BazarCall Excel document

When the Excel macros are enabled, the BazarCall malware will be downloaded and executed on the victim’s computer.

When the BazarCall campaign first started, it was used to distribute the BazarLoader malware but has also begun distributing TrickBot, IcedID, Gozi IFSB, and other malware. 

These Windows infections are particularly dangerous as they provide remote access to compromised corporate networks where the threat actors spread laterally through the network to steal data or deploy ransomware.

Threat actors use BazarLoader and Trickbot to deploy the Ryuk or Conti ransomware, while IcedID has been used in the past to deploy the now-defunct Maze and Egregor ransomware infections.

Security researcher Brad Duncan has shared a video illustrating a call into the threat actor’s call center and its distribution of malicious documents to unsuspecting victims. https://www.youtube.com/embed/uAkeXCYcl4Y

BazarCall: Deployed via a Distribution-as-a-Service

While BazarLoader and the TrickBot infections are believed to be created by the same ‘TrickBot’ hacking group, the other distributed infections are not related to these threat actors.

Due to this, Pargman has told BleepingComputer that he believes that another threat actor group is running the call centers and renting out distribution as a Distribution-as-a-Service.

“My belief is that this is a distro as a service and that UNC1878 is probably a customer of theirs,” Pargman explained.

This belief is echoed by Cryptolaemus security researcher Joseph Roosen who told BleepingComputer that the distribution service is run like a regular company, keeping strict Monday through Friday business hours.

BleepingComputer’s efforts to contact the call center over the past four days have been unsuccessful due to the constantly changing infrastructure used by the threat actors.

Due to the efforts of researchers such as Pargman, Roosen, Duncan, William Thomas of Cyjax, TheAnalyst, and ExecuteMalware, and many others, the distribution service has been forced to constantly change their phone numbers and hosting sites as the researchers take them down. 

Unfortunately, even with the cybersecurity community’s combined efforts, this distribution method has been very successful.

Due to their distribution method, malware samples commonly have very low detection rates on VirusTotal as they are not publicly distributed and detected by antivirus vendors.

Furthermore, from emails seen by BleepingComputer, people are falling for this scam as they believe they are legitimate subscriptions that need to be canceled.


For this reason, we here at Cyburity would like to offer our services free of charge to anyone effected by this malware, BazarCall so we can track down their command centers and disable them as well as remediate any threat actors from your server. If you have been affected or would like to have a free security audit to see if you have been, please schedule a FREE security audit. By working together, we can break down these hacking groups to make it where they move on from this scam to something else…..because they will.

-Nox