The virus BazarBackdoor has been identified using a Microsoft Windows 10 app feature to target its users. The assault was discovered after Sophos Labs’ own workers were targeted via spam emails employing standard social engineering techniques.
Attackers sent an email purporting to be from Sophos Main Manager Assistant and with the fictitious name Adam Williams. The email message asks the prospective victim why the receiver hasn’t reacted to a customer complaint and invites them to call back. Furthermore, the email contains a link to a PDF file that will assist them in resolving the customer’s issue. The URL, however, leads to pages that finally download the BazarBackdoor virus. The attackers are employing a novel and unique approach in which the Windows 10 App installer process (AppInstaller[.]exe) is exploited to distribute malicious payloads.
The phishing bait takes victims to a website and prompts them to click a button to read a ‘.PDF’ file. However, when the receiver hovers over the link, the prefix ms-appinstaller is shown. When the victim clicks on the link, the URL instructs the browser to use a programme used by the Windows Store application (AppInstaller[.]exe) to download/run whatever is available at the other end of the link. The link in the current assaults points to a text file called Adobe[.]appinstaller, which directs recipients to a bigger file (called Adobe 220.127.116.11 x64appbundle) located on another URL. A warning message appears, along with a notification that the programme is digitally signed with a certificate that was issued some months ago.
Victims are also asked to approve the installation of the Adobe PDF Component. If users provide permission, the BazarBackdoor malware is sent and run on the compromised system within a few seconds.
BazarBackdoor exploits Windows’ AppInstaller functionality, which has hitherto been an unusual target. According to researchers, this instance may entice additional attackers to go in this approach. As a result, it is recommended that companies and security software manufacturers have proper defences in place to identify and stop such assaults.