2021-11-24 (WEDNESDAY) - "GIGI" CAMPAIGN PUSHES BAZARLOADER, LEADS TO ICEDID

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

NOTES:

• Calling this the "Gigi" campaign for BazarLoader, because gigi is the EntryPoint to run the BazarLoader DLL.
• In this case, the command to run the BazarLoader DLL is:  rundll32 [filename],gigi

ASSOCIATED FILES:

• 2021-11-24-IOCS-for-Gigi-BazarLoader-and-IcedID.txt.zip   2.1 kB   (2,069 bytes)
• 2021-11-24-Gigi-BazarLoader-with-IcedID.pcap.zip   10.2 MB   (10,178,589 bytes)
• 2021-11-24-Gigi-BazarLoader-and-IcedID-malware-and-artifacts.zip   2.7 MB   (2,746,257 bytes)

 

IMAGES

Shown above:  Screenshot from an email from this campaign.

 

Shown above:  Link in the email led to a OneDrive URL hosting malware.

 

Shown above:  Use password from the email to access and open the VBS file.

 

Shown above:  The VBS file eventually dropped BazarLoader DLL with .mpeg file extension.

 

Shown above:  Process Hacker showed "gigi" as entrypoint for BazarLoader DLL.

 

Shown above:  Traffic from the infection filtered in Wireshark.

 

Click here to return to the main page.