2021-06-21 (MONDAY) - BAZARCALL (BAZACALL) CAMPAIGN PUSHES BAZARLOADER (BAZALOADER)

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2021-06-21-BazarCall-to-BazarLoader-IOCs.txt.zip   1.2 kB   (1,176 bytes)
• 2021-06-21-BazarCall-to-BazarLoader-traffic.pcap.zip   5.0 MB   (4,959,360 bytes)
• 2021-06-21-BazarLoader-malware.zip   719 kB   (718,746 bytes)

NOTES:

• This is a continuation of the BazarCall campaign I wrote about here, except Campo Loader is no longer used in the chain of events.

 

IMAGES

Shown above:  Fake website used to distribute malicious Excel spreadsheet.

 

Shown above:  Page to use a subscription number from a malicious email to "sign in" to the site.

 

Shown above:  "Cancelling" the subscription will return a malicious spreadsheet.

 

Shown above:  Screenshot of the malicious spreadsheet.

 

Shown above:  Traffic from the infection filtered in Wireshark.

 

Click here to return to the main page.