Security Market Segment LS
Monday, 15 November 2021 12:05

Sophos uncovers malware that abuses Windows 10 app installer


A new attack operation by a malware family known as BazarBackdoor or BazarLoader begins with a highly targeted malicious spam campaign, according to a blog post detailed by SophosLabs researchers.

The campaign delivers malware through a novel mechanism: the abuse of the appxbundle format used by the Windows 10 App installer, a technique that does not appear to be widely used, according to SophosLabs researchers.

Last Thursday, 4 November 2021, Sophos employees were targeted with emails concerning an apparent customer complaint against them and alleging to come from a company manager.

The recipient was addressed by their name and that of the company and the wording of the message was abrupt and threatening—a classic scam technique to increase stress levels for the recipient.

The recipient is urged to click to a website where the complaint has allegedly been posted for them to review. This link, if clicked, will eventually lead the user to the malware.

Sophos researchers have analysed the malware and the attack tactics and techniques. The technical blog detailing their findings has been published on SophosLabs Uncut.

The blog reveals the attack chain that unfolds after the link in the email is clicked:
• The page that appears abuses the Adobe brand and asks users to click on a button marked “Preview PDF”
• However, the link from this button doesn’t start with the expected prefix: https:// but with the prefix: ms-appinstaller
• The unusual prefix triggers the browser to invoke a tool called AppInstaller.exe to download and run whatever is at the other end of the link
• In this attack, the other end of the link turns out to be a text file named Adobe.appinstaller that, in turn, points to another URL where a larger file, containing the malware is located
• The app appears to be signed with a digital certificate to make it look trustworthy and legitimate
• If the user grants permission the malware is installed
• The malware’s behaviour identifies it as BazarBackdoor. The first thing it does is profile the infected system and identify its public facing IP address and send that information to its command-and-control
• The infected device has then successfully been co-opted into the BazarBackdoor botnet, with a backdoor implant installed for the delivery of further malicious payloads if needed

“Spamming a security company with malicious emails featuring a novel attack technique might not have been the best decision by the operators. Malware that comes in application installer bundles is not commonly seen in attacks,” Sophos principal researcher Andrew Brandt. “Unfortunately, now that the process has been demonstrated, it's likely to attract wider interest. Security companies and software vendors need to have the protection mechanisms in place to detect and block it and prevent the attackers from abusing digital certificates.”

“Like most backdoor programs of this sort, this malware deliberately includes a function to download and install yet more malware. So, the danger of attacks like this is that although an infection may look and feel like the end of an attack chain, it is really just the beginning of the next one,” Sophos principal research scientist Paul Ducklin explains.

“And you can't tell in advance what malware comes next. Also, it's easy to dismiss as ‘mostly harmless’ the profiling data that this malware steals up front, such as the amount of RAM and CPU power that each infected device has. But the criminals love to know those details, because it helps them decide which computers in their botnet are best suited to which sort of future malicious activity,” Ducklin concludes.

SophosLabs has published Indicators of Compromise (IoCs) relating to this attack on its Github page. Microsoft turned off the pages hosting the malicious files on Thursday, 4 November 2021.


Read 1848 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here


If you're looking at enabling Microsoft Teams for your contact centre, you should bookmark this webinar.

Marketing budgets are now focused on Webinars combined with Lead Generation.

Our panellists from Whangarei District Council (NZ) and Maurice Blackburn Lawyers (Aus) were closely involved in recent projects to enable Microsoft Teams for their own contact centres.

They have kindly agreed to join Enghouse and Microsoft to talk about some of the things they would recommend as most critical for IT and CX professionals planning a Teams Contact Centre migration.

Date: 11 May 2022
Time: 12pm AEST | 2pm NZST | 10am SGT

We look forward to having you join us. Please click the button below to register.



The past year has seen a meteoric rise in ransomware incidents worldwide.

Over the past 12 months, SonicWall Capture Labs threat researchers have diligently tracked the meteoric rise in cyberattacks, as well as trends and activity across all threat vectors, including:

Encrypted threats
IoT malware
Zero-day attacks and more

These exclusive findings are now available via the 2022 SonicWall Cyber Threat Report, which ensures SMBs, government agencies, enterprises and other organizations have the actionable threat intelligence needed to combat the rising tide of cybercrime.

Click the button below to get the report.



It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.


Kenn Anthony Mendoza

Kenn Anthony Mendoza is the newest member of the iTWire team. Kenn is also a contributing writer for South China Morning Post Style, and has written stories on Korean entertainment, Asian and European royalty, Millionaires and Billionaires, and LGBTQIA+ issues. He has been published in Philippine newspapers, magazines, and online sites: Tatler PhilippinesManila BulletinCNN Philippines LifePhilippine StarManila Times, and The Daily Tribune. Kenn now covers all aspects of technology news for

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News