The Principal Researcher of the SophosLabs security firm, Andrew Brandt spotted that to deploy BazarLoader malware on the victim’s systems the TrickBot gang operators are now abusing the Windows 10 App Installer in their malicious campaign.
BazarLoader is an enigmatic Trojan and it has several names like:-
- BazarBackdoor
- BazaLoader
- BEERBOT
- KEGTAP
- Team9Backdoor
This stealthy Trojan, BazarLoader is used by the attackers to negotiate the networks of high-profile targets and then sell the access to compromised assets.
Spam Emails
Apart from this to deliver additional payloads BazarLoader is used by the hackers, and through it, they deliver the payloads like Cobalt Strike beacons.
By using threatening language and impersonating a company manager, the threat actor urges a sense of seriousness in their spam emails. So, like this, they provoke their victim to provide more info on a customer complaint regarding the email receiver.
Here, in the above image, you can see the Customer Complaints in the hyperlink that is available for review in PDF format, and it’s hosted on Microsoft’s own cloud storage which is:-
- *.web.core.windows.net domains
Attack analysis
Using an adobeview subdomain, this malicious campaign double baits its victims into installing the BazarLoader backdoor, and the use of adobeview subdomain adds an extra layer of reliability to the scheme.
Here’s what the Andrew Brandt stated:-
“The attackers used two different web addresses for hosting this fake “PDF download” page throughout the day. Both pages were hosted in Microsoft’s cloud storage, which perhaps lends it a sense of (unearned) authenticity, and both the .appinstaller and .appbundle files were hosted in the root of each webpage’s storage.”
In this stage on the phishing landing site, the “Preview PDF” button opens a URL with an ms-appinstaller: prefix, instead of pointing the victim to a PDF document.
Initially, the browser window will show a warning pop in which it will ask the victim if they want allow the phishing site to open the malicious Windows 10 App Installer.
But, here comes the tricky part, though it shows a warning pop, but, still in this part most of the users ignore this warning pop when they see the following address in the URL bar:-
adobeview.*.*.web.core.windows.net
In the form of a fake Adobe PDF Component, which is delivered as an AppX app bundle, will launch Microsoft’s App Installer once the user clicks the “Open” button, and then it will install the malware on the victim’s device.
After the successful launch, the App Installer will first start downloading the following malicious files of attackers that contains final payload named Security.exe nested within a UpdateFix subfolder:-
- .appinstaller file
- .appxbundle file
Once installed on the vulnerable system, the BazarLoader malware starts collecting all the system information like:-
- Hard disk
- Processor
- Motherboard
- RAM
- Active hosts on the local network with public-facing IP addresses
All these above-mentioned data were sent to the command-and-control server of the hackers and then camouflaged as cookies which were later released through HTTPS GET or POST headers.
However, after being informed by Sophos, on November 4 Microsoft removed all the pages that are abused by the hackers to host malicious files.
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity, and hacking news updates.
