SophosLabs Discovers BazarBackdoor On Windows 10 App Installer

SophosLabs researchers have published a blogpost detailing a new attack operation by a malware family known as BazarBackdoor or BazarLoader that begins with a highly targeted malicious spam campaign. The campaign delivers malware through a novel mechanism: the abuse of the appxbundle format used by the Windows 10 App installer, a technique that does not appear to be widely used, according to SophosLabs researchers.

On Thursday, Nov. 4, 2021, Sophos employees were targeted with emails concerning an apparent customer complaint against them and purporting to come from a company manager. The recipient was addressed by their name and that of the company and the wording of the message was abrupt and threatening – a classic scam technique to increase stress levels for the recipient. The recipient is urged to click through to a website where the complaint has allegedly been posted for them to review. This link, if clicked, will eventually lead the user to the malware.

Sophos researchers have undertaken a deep analysis of the malware and the attack tactics and techniques. The technical blog detailing their findings has been published on SophosLabs Uncut.

The blog reveals the attack chain that unfolds after the link in the email is clicked:

• The page that appears abuses the Adobe brand and asks users to click on a button marked “Preview PDF”
• However, the link from this button doesn’t start with the expected prefix: https:// but with the prefix: ms-appinstaller
• The unusual prefix triggers the browser to invoke a tool called AppInstaller.exe to download and run whatever is at the other end of the link
• In this attack, the other end of the link turns out to be a text file named Adobe.appinstaller that, in turn, points to another URL where a larger file, containing the malware is located
• The app appears to be signed with a digital certificate to make it look trustworthy and legitimate
• If the user grants permission the malware is installed
• The malware’s behavior identifies it as BazarBackdoor. The first thing it does is profile the infected system and identify its public facing IP address and send that information to its command-and-control
• The infected device has then successfully been co-opted into the BazarBackdoor botnet, with a backdoor implant installed for the delivery of further malicious payloads if needed

Andrew Brandt, principal researcher at Sophos, said:  

“Spamming a security company with a malicious emails featuring a novel attack technique might not have been the best decision by the operators. Malware that comes in application installer bundles is not commonly seen in attacks. Unfortunately, now that the process has been demonstrated, it’s likely to attract wider interest. Security companies and software vendors need to have the protection mechanisms in place to detect and block it and prevent the attackers from abusing digital certificates.”

Paul Ducklin, principal research scientist at Sophos, said:

“Like most backdoor programs of this sort, this malware deliberately includes a function to download and install yet more malware. So, the danger of attacks like this is that although an infection may look and feel like the end of an attack chain, it is really just the beginning of the next one. And you can’t tell in advance what malware comes next. Also, it’s easy to dismiss as ‘mostly harmless’ the profiling data that this malware steals up front, such as the amount of RAM and CPU power that each infected device has. But the criminals love to know those details, because it helps them decide which computers in their botnet are best suited to which sort of future malicious activity.”

SophosLabs has published Indicators of Compromise (IoCs) relating to this attack on its Github page.  Microsoft turned off the pages hosting the malicious files on Thursday, Nov.4, 2021.