IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

BazarLoader malware abuses Windows 10 apps in 'Call Me Back' attack

The highly targeted phishing campaign abuses appxbundle to infect devices

A new phishing campaign is abusing an app feature in Windows 10 to spread the BazarLoader malware.

The campaign’s discovery came when employees started receiving the malware-laden emails, according to security researchers at Sophos.

One email appeared to be sent by a "Sophos Main Manager Assistant” called "Adam Williams.” In the email, the person demanded to know why the recipient hadn't responded to a customer's complaint, which appeared as a PDF link in the email.

However, if a victim clicked on the link, it downloaded and installed the BazarLoader malware. Researchers said this malware was delivered by abusing a novel mechanism, the Windows 10 apps installer process.

The researchers said the phishing campaign sends victims to a website sporting the Adobe logo to look more legitimate. The text on the page asks victims to click on a link to preview the alleged PDF.

“But there’s something amiss with this link: Instead of being prefixed with the expected https:// the link instead begins with what was (for me, at least) an unfamiliar ms-appinstaller: prefix,” said SophosLabs Principal Researcher Andrew Brandt.

"In the course of running through an actual infection I realized that this construction of a URL triggers the browser [in my case, Microsoft's Edge browser on Windows 10], to invoke a tool used by the Windows Store application, called AppInstaller.exe, to download and run whatever's on the other end of that link," he added.

Related Resource

How to reduce the risk of phishing and ransomware

Top security concerns and tips for mitigation

Large letter 'O' against a background of a city - whitepaper from MimecastFree download

This link points to a 482-byte text file named Adobe.appinstaller. The contents of that file are just plain text, in XML format, that points to a URL where a larger file containing the malware, named Adobe_1.7.0.0_x64.appbundle, was located.

The malicious appinstaller indicates the .appxbundle was digitally signed by a UK-based company calling itself Systems Accounting Limited. This certificate was issued several months ago, and Sophos contacted Sectigo to alert it about this abuse of the certificate it issued.

Victims then get asked to allow an "Adobe PDF Component” install. If this is allowed, Bazarloader is installed.

“Malware that comes in AppX packages is novel, but now that the process has been demonstrated, it’s likely to be here to stay. These apps are supposed to be digitally signed with certificates, but it doesn’t appear that there’s any mechanism to make a sanity check between what’s on the certificate and the code it’s supposed to certify,” said Brandt.

Featured Resources

The COO's pocket guide to enterprise-wide intelligent automation

Automating more cross-enterprise and expert work for a better value stream for customers

Free Download

Introducing IBM Security QRadar XDR

A comprehensive open solution in a crowded and confusing space

Free Download

2021 Gartner critical capabilities for data integration tools

How to identify the right tool in support of your data management solutions

Free Download

Unified endpoint management solutions 2021-22

Analysing the UEM landscape

Free Download

Recommended

How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

28 Jul 2022
How to reinstall Windows 10 without losing data
Microsoft Windows

How to reinstall Windows 10 without losing data

18 Jul 2022
How to make a printer shortcut in Windows 10
Microsoft Windows

How to make a printer shortcut in Windows 10

18 Jul 2022
Command Prompt Windows 10: What is it and how does it work?
Microsoft Windows

Command Prompt Windows 10: What is it and how does it work?

15 Jul 2022

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022
Samsung proposes 11 Texas semiconductor plants worth $191 billion
Hardware

Samsung proposes 11 Texas semiconductor plants worth $191 billion

21 Jul 2022
Should you take your password manager off the internet?
Sponsored

Should you take your password manager off the internet?

28 Jul 2022