2021-11-24 (WEDNESDAY) - "GIGI" CAMPAIGN PUSHES BAZARLOADER, LEADS TO ICEDID

ASSOCIATED FILES:

NOTES:

 

IMAGES


Shown above:  Screenshot from an email from this campaign.

 


Shown above:  Link in the email led to a OneDrive URL hosting malware.

 


Shown above:  Use password from the email to access and open the VBS file.

 


Shown above:  The VBS file eventually dropped BazarLoader DLL with .mpeg file extension.

 


Shown above:  Process Hacker showed "gigi" as entrypoint for BazarLoader DLL.

 


Shown above:  Traffic from the infection filtered in Wireshark.

 

Click here to return to the main page.