Windows 10 app features are being misused to spread the BazarBackdoor virus. It was only after Sophos Labs’ own employees received spam emails containing at least a basic level of social engineering that the attack was discovered, researchers said Thursday.
An email sent by “Sophos Main Manager Assistant”, a non-existent “Adam Williams” asked to know why a researcher hadn’t responded to a customer’s complaint. The email included an “a.PDF” link to the message.
As a result of the link’s deception, the malware’s “novel” deployment method was exposed.
Sophos says they’re “unfamiliar” with this method of delivering malicious payloads through the Windows 10 App installer process.
The phishing lure directs potential victims to a website that uses the Adobe brand and asks them to click on a button to preview a.PDF file. You can see the prefix “ms-appinstaller” if you hover over the link.
“In the course of running through an actual infection I realized that this construction of a URL triggers the browser [in my case, Microsoft’s Edge browser on Windows 10], to invoke a tool used by the Windows Store application, called AppInstaller.exe, to download and run whatever’s on the other end of that link,” Sophos researcher Andrew Brandt explained.
It then links to a text file named Adobe.appinstaller, which in turn links to a larger file hosted at a different URL, which is Adobe 188.8.131.52 x64appbundle.
A warning message and a notice that the software has been digitally signed with a certificate that was issued months ago appear next. As a result of this, (Sophos has informed the certificate authority).
It takes only seconds for the BazarBackdoor malware to be deployed and executed after victims have granted permission to install the “Adobe PDF Component” plug-in.
Because of the large volume of traffic it generates, BazarBackdoor, like BazarLoader, communicates over HTTPS. BazarBackdoor has been linked to Trickbot and the possible distribution of Ryuk ransomware and is capable of leaking system data.
“Malware that comes in application installer bundles is not commonly seen in attacks,” Brandt said. “Unfortunately, now that the process has been demonstrated, it’s likely to attract wider interest. Security companies and software vendors need to have the protection mechanisms in place to detect and block it and prevent the attackers from abusing digital certificates.”