2021-06-15 (WEDNESDAY) - QUICK POST: BAZARCALL (BAZACALL) CAMPAIGN PUSHES BAZARLOADER (BAZALOADER)

ASSOCIATED FILES:

NOTES:

 

IMAGES


Shown above:  Fake website used to distribute malicious Excel spreadsheet.

 


Shown above:  Using a subscription number from a malicious email to "sign in" to the site.

 


Shown above:  Account information for the intended victim, all fake information (and blurred out in this image).

 


Shown above:  "Cancelling" the subscription will return a malicious spreadsheet.

 


Shown above:  Screenshot of the malicious spreadsheet.

 


Shown above:  Traffic from an infection filtered in Wireshark.

 


Shown above:  A copy of certutil.exe is used to retrieve a DLL for BazarLoader.  This is the
first URL it generates.

 


Shown above:  Note the User-Agent: Microsoft-CryptoAPI/10.0, because a copy of certutil.exe is used to retrieve the BazarLoader DLL.

 


Shown above:  Artifacts seen on the Windows host infected with BazarLoader.

 

Click here to return to the main page.