Trickbot gang operators have been found abusing Windows 10’s App Installer to deploy malware using a highly targeted spam campaign. The malware is also known as BazakBackdoor, BazaLoader, BEERBOT, KEGTAP and Team9Backdoor and is often used to infect networks on high-value targets and sell access to said networks.
SophosLabs Principal Researcher Andrew Brandt spotted the campaign. It works by inducing a sense of urgency over the recipient by using threatening language, impersonating a manager or senior asking the victim about the information on a customer complaint.
The messages also seem to be personalised with the name of the recipient and the company they work at urging the receiver to click on a link where the complaint against them is posted for review.
Complain first, trouble later?
Review PDF that’s attached in the email is hosted on Microsoft’s cloud storage, web.core.windows.net domains, to be specific. In addition, victims are baited into installing a BazarLoader backdoor using an adobeview subdomain, further adding a sort of unofficial credibility to the attack.
Both pages were hosted in Microsoft cloud storage, including the .appinstaller and .appbundle files, subsequently hosted in the root of each webpage’s storage.
When you click the link that is supposed to take you to a PDF document, it takes the victim to a phishing site opening a URL with an ms-appinstaller: prefix. Once the button is clicked, the browser shows a warning asking the user to allow the site to invoke Windows 10’s App Installer.
Once the user agrees, the app installer launches and deploys the malware on the victim’s device, impersonating it as a fake Adobe PDF component delivered as an AppX app bundle.
After launch, this installer downloads a malicious .appinstaller file, and the linked .appxbundle file containing the final payload named Security.exe nested inside a UpdateFix subfolder. This payload further downloads and executes a DLL file that launches and spawns a child process, which spawns other child processes.
Eventually, this string ends with the malicious code being injected into a headless Edge browser process. Once deployed, it will begin harvesting system information sent back to a command-and-control server camouflaged as cookies delivered through HTTPS GET or POST headers.
Microsoft took down the malicious pages on November 4, after Sophos reported the exploit.