BazarBackdoor malware has been discovered abusing a Microsoft Windows 10 app feature to target its victims. The attack was spotted when Sophos Labs’s own employees were targeted via spam emails using typical social engineering tricks.

What happened?

Attackers sent an email, pretending to be from Sophos Main Manager Assistant, with a fictional name of Adam Williams. 
  • The message in the email asks the potential victim why the recipient hadn’t responded to a customer’s complaint and asks them to call back. 
  • Moreover, the email helpfully includes a link to a PDF file that would help them solve the customer’s complaint. However, the link points towards pages that eventually download the BazarBackdoor malware. 
  • The attackers are using a new and unusual technique in which the Windows 10 App installer process (AppInstaller[.]exe) is abused to spread malicious payloads.

How does the attack work?

The phishing lure directs victims to a website, asking users to click on a button to preview a ‘.PDF’ file. However, upon hovering over the link, a prefix ms-appinstaller is shown to the recipient.
  • When the victim clicks on the link, the URL triggers the browser to invoke a tool used by the Windows Store application (AppInstaller[.]exe) to download/run anything available on the other end of the link.
  • In the recent attacks, the link is pointing at a text file, Adobe[.]appinstaller, which directs recipients to a larger file (named as Adobe_1.7.0.0_x64appbundle) hosted on another URL. 
  • A warning prompt is displayed, along with a notice that the software is digitally signed with a certificate issued several months ago. 
  • Further, victims are requested to allow the installation of Adobe PDF Component. If they provide the permission, then within a few seconds, the BazarBackdoor malware is delivered and executed on the infected machine.

Conclusion

BazarBackdoor is abusing the AppInstaller feature of Windows, which has been an uncommon target till now. Researchers believe that this incident may attract more attackers to follow this direction. Therefore, organizations and security software vendors are suggested to have adequate defenses in palace to detect and stop such attacks.

Cyware Publisher

Publisher

Cyware