The campaign delivers malware through a novel mechanism: the abuse of the appxbundle format used by the Windows 10 App installer, a technique that does not appear to be widely used, according to SophosLabs researchers.
Last Thursday, 4 November 2021, Sophos employees were targeted with emails concerning an apparent customer complaint against them and alleging to come from a company manager.
The recipient was addressed by their name and that of the company and the wording of the message was abrupt and threatening—a classic scam technique to increase stress levels for the recipient.
The recipient is urged to click to a website where the complaint has allegedly been posted for them to review. This link, if clicked, will eventually lead the user to the malware.
Sophos researchers have analysed the malware and the attack tactics and techniques. The technical blog detailing their findings has been published on SophosLabs Uncut.
The blog reveals the attack chain that unfolds after the link in the email is clicked:
• The page that appears abuses the Adobe brand and asks users to click on a button marked “Preview PDF”
• However, the link from this button doesn’t start with the expected prefix: https:// but with the prefix: ms-appinstaller
• The unusual prefix triggers the browser to invoke a tool called AppInstaller.exe to download and run whatever is at the other end of the link
• In this attack, the other end of the link turns out to be a text file named Adobe.appinstaller that, in turn, points to another URL where a larger file, containing the malware is located
• The app appears to be signed with a digital certificate to make it look trustworthy and legitimate
• If the user grants permission the malware is installed
• The malware’s behaviour identifies it as BazarBackdoor. The first thing it does is profile the infected system and identify its public facing IP address and send that information to its command-and-control
• The infected device has then successfully been co-opted into the BazarBackdoor botnet, with a backdoor implant installed for the delivery of further malicious payloads if needed
“Spamming a security company with malicious emails featuring a novel attack technique might not have been the best decision by the operators. Malware that comes in application installer bundles is not commonly seen in attacks,” Sophos principal researcher Andrew Brandt. “Unfortunately, now that the process has been demonstrated, it's likely to attract wider interest. Security companies and software vendors need to have the protection mechanisms in place to detect and block it and prevent the attackers from abusing digital certificates.”
“Like most backdoor programs of this sort, this malware deliberately includes a function to download and install yet more malware. So, the danger of attacks like this is that although an infection may look and feel like the end of an attack chain, it is really just the beginning of the next one,” Sophos principal research scientist Paul Ducklin explains.
“And you can't tell in advance what malware comes next. Also, it's easy to dismiss as ‘mostly harmless’ the profiling data that this malware steals up front, such as the amount of RAM and CPU power that each infected device has. But the criminals love to know those details, because it helps them decide which computers in their botnet are best suited to which sort of future malicious activity,” Ducklin concludes.
SophosLabs has published Indicators of Compromise (IoCs) relating to this attack on its Github page. Microsoft turned off the pages hosting the malicious files on Thursday, 4 November 2021.