The TrickBot gang is now exploiting the Windows 10 App Installer to install their BazarLoader malware on computers of people targeted by a spam campaign. BazarLoader (also known as BazarBackdoor, BazaLoader, BEERBOT, KEGTAP, and Team9Backdoor) is a stealthy backdoor Trojan employed to infiltrate high-value targets’ networks and sell access to exploited assets to other cybercriminals.
It’s also been used to transmit extra payloads, such as Cobalt Strike beacons, which allow threat actors to access their victims’ networks and then implant harmful malware, such as Ryuk ransomware. The attackers’ spam emails in the new campaign detected by SophosLabs Principal Researcher Andrew Brandt use intimidating language and impersonate a corporate manager who requests further information on a customer complaint about the email recipient.
This complaint is allegedly available as a PDF on a site maintained on Microsoft’s cloud storage (domains ending in *.web.core.windows.net). To add to the hoax, users who get this spam are double-baited into deploying the BazarLoader backdoor via an adobeview subdomain, which adds to the scheme’s credibility.
The “Preview PDF” button on the phishing landing site accesses a URL with the ms-appinstaller: prefix instead of a PDF document. When the victim clicks the button, the browser will display a warning asking if they want the site to run App Installer. When they see an adobeview.*.*.web.core.windows.net domain in the address bar, however, most users will probably dismiss it.
Clicking “Open” in the warning popup will activate Microsoft’s App Installer, which has been a built-in app since the August 2016 release of Windows 10 version 1607, to install the malware on the victim’s device in the guise of a phony Adobe PDF Component supplied as an AppX app bundle. App Installer will begin downloading the attackers’ malicious .appinstaller file and a linked .appxbundle file carrying the final payload named Security.exe buried under a UpdateFix subdirectory as soon as it is run.
The payload downloads and runs an additional DLL file, which launches and spawns a child process, generating other child processes until the malicious code is injected into a headless Chromium-based Edge browser process completes the chain. BazarLoader will begin collecting system information (e.g., hard drive, processor, motherboard, RAM, active hosts on the local network with public-facing IP addresses) after it has been installed on the compromised device. This information is transferred to the command-and-control server using HTTPS GET or POST headers, disguised as cookies.
On SophosLabs’ GitHub page, you may discover indicators of compromise (IoCs) connected to the BazarLoader campaign, including malware sample hashes, command-and-control servers, and source URLs. After receiving notification from Sophos, Microsoft pulled down the sites used by the attackers to host malicious files in these cyberattacks on November 4.