A new phishing campaign is reported to exploit a Microsoft Windows 10 app feature by spreading the malware called BazarBackdoor. The said attack targeted a security firm’s employees, which caused them to learn about the issue, saying that they received spam email messages written with basic social engineering.
The email’s contents sent to employees has a sender who called itself a ‘Sophos Main Manager Assistant’ by the name of a made-up Adam Williams. According to the message of the so-called main manager assistant, they are demanding a reason as to why no one responded to a customer’s complaint and required the receiver to open the linked PDF file to resolve the issue.
Naturally, the linked PDF is a trap that deploys the BazarBackdoor malware once opened.
The victimised security firm is unfamiliar with the phishing technique used wherein the Windows 10 App installer process is abused to spread the malware.
Upon clicking the link, the phishing scam redirects a victim to a malicious website that operates in an Adobe brand. Then, the victim will be required to click on a button that claims to show a PDF file preview if clicked. But upon hovering on the link, its prefix will display “ms-appinstaller” instead, which is already a suspicious matter.
As explained by a researcher, while an actual infection is running through, it showed that the URL construction linked to the phishing email triggers and opens the browser, such as Edge, and presents a tool called the AppInstaller.exe to install and run whatever malicious payload that is injected into it.
The link also directs to a text file titled Adobe.appinstaller and then will redirect again to a larger file hosted through another URL called Adobe_1.7.0.0_x64appbundle. Afterwards, a warning prompt will show on the screen, along with a notice that says the software is digitally signed with a certificate issued many months ago.
If the victim grants permission to install the “Adobe PDF Component” inside their computer, the BazarBackdoor malware will finally be deployed and executed.
The BazarBackdoor malware communicates through HTTPS, similar to the BazarLoader. However, its uniqueness comes from the amount of noisy traffic that BazarBackdoor malware produces. It also can exfiltrate system data and can potentially deploy the Ryuk ransomware, linking to Trickbot.
The security researcher added that it is not common for threat actors to deploy malware through application installers, such as Microsoft. And now that the process has been demonstrated to be possible, other threat actors might also take interest to perform the same.