BazarBackdoor Leverages Windows 10 App Feature to Infect Victims

What happened?

• The message in the email asks the potential victim why the recipient hadn’t responded to a customer’s complaint and asks them to call back. 
• Moreover, the email helpfully includes a link to a PDF file that would help them solve the customer’s complaint. However, the link points towards pages that eventually download the BazarBackdoor malware. 
• The attackers are using a new and unusual technique in which the Windows 10 App installer process (AppInstaller[.]exe) is abused to spread malicious payloads.

How does the attack work?

• When the victim clicks on the link, the URL triggers the browser to invoke a tool used by the Windows Store application (AppInstaller[.]exe) to download/run anything available on the other end of the link.
• In the recent attacks, the link is pointing at a text file, Adobe[.]appinstaller, which directs recipients to a larger file (named as Adobe_1.7.0.0_x64appbundle) hosted on another URL. 
• A warning prompt is displayed, along with a notice that the software is digitally signed with a certificate issued several months ago. 
• Further, victims are requested to allow the installation of Adobe PDF Component. If they provide the permission, then within a few seconds, the BazarBackdoor malware is delivered and executed on the infected machine.

Conclusion