Story image

New malware that abuses Windows 10 App Installer uncovered

By Shannon Williams, Wed 17 Nov 2021

Sophos researchers have uncovered a new attack operation by the malware family known as BazarBackdoor, which abuses the Windows 10 App Installer to spread malware through a highly targeted malicious spam campaign.

The campaign delivers malware through a novel mechanism: the abuse of the appxbundle format used by the Windows 10 App installer, a technique that does not appear to be widely used, according to SophosLabs researchers.

Earlier this month, Sophos employees were targeted with emails concerning an apparent customer complaint against them and purporting to come from a company manager. The recipient was addressed by their name and that of the company, and the wording of the message was abrupt and threatening - a classic scam technique to increase stress levels for the recipient. The recipient is urged to click through to a website where the complaint has allegedly been posted for them to review. This link, if clicked, will eventually lead the user to the malware.

Sophos researchers have undertaken a deep analysis of the malware and the attack tactics and techniques. 

According to the researchers, the attack chain that unfolds after the link in the email is clicked includes:

  • The page that appears abuses the Adobe brand and asks users to click on a button marked Preview PDF
  • However, the link from this button doesn't start with the expected prefix: https:// but with the prefix: ms-appinstaller
  • The unusual prefix triggers the browser to invoke a tool called AppInstaller.exe to download and run whatever is at the other end of the link
  • In this attack, the other end of the link turns out to be a text file named Adobe.appinstaller that, in turn, points to another URL where a larger file, containing the malware is located
  • The app appears to be signed with a digital certificate to make it look trustworthy and legitimate
  • If the user grants permission the malware is installed
  • The malware's behaviour identifies it as BazarBackdoor. The first thing it does is profile the infected system and identify its public facing IP address and send that information to its command-and-control
  • The infected device has then successfully been co-opted into the BazarBackdoor botnet, with a backdoor implant installed for the delivery of further malicious payloads if needed
     

"Spamming a security company with malicious emails featuring a novel attack technique might not have been the best decision by the operators," says Andrew Brandt, principal researcher at Sophos. 

"Malware that comes in application installer bundles is not commonly seen in attacks. Unfortunately, now that the process has been demonstrated, it's likely to attract wider interest," he says. 

"Security companies and software vendors need to have the protection mechanisms in place to detect and block it and prevent the attackers from abusing digital certificates."

Paul Ducklin, principal research scientist at Sophos, says like most backdoor programs of this sort, this malware deliberately includes a function to download and install yet more malware. 

"So, the danger of attacks like this is that although an infection may look and feel like the end of an attack chain, it is really just the beginning of the next one," he says.

"And you can't tell in advance what malware comes next. Also, it's easy to dismiss as mostly harmless the profiling data that this malware steals up front, such as the amount of RAM and CPU power that each infected device has. 

"But the criminals love to know those details, because it helps them decide which computers in their botnet are best suited to which sort of future malicious activity."

Recent stories
More stories