On Thursday, researchers from Sophos Labs said the attack was noticed after the cybersecurity firm8217;s own employees were targeted with spam emails 8212; but rather than being run-of-the-mill, these emails were written with at least a basic level of social engineering.
One of the emails, sent by a 8220;Sophos Main Manager Assistant,8221; the non-existent 8220;Adam Williams,8221; demanded to know why a researcher hadn8217;t responded to a customer8217;s complaint. To make resolution easier, the email helpfully contained a .PDF link to the message.
This is how it works: the phishing lure will direct potential victims to a website that uses the Adobe brand and asks users to click on a button to preview a .PDF file. However, if you hovered over the link, the prefix 8220;ms-appinstaller8221; is displayed.
8220;In the course of running through an actual infection I realized that this construction of a URL triggers the browser [in my case, Microsoft8217;s Edge browser on Windows 10], to invoke a tool used by the Windows Store application, called AppInstaller.exe, to download and run whatever8217;s on the other end of that link,8221; Sophos researcher Andrew Brandt explained.
A warning prompt then appears as well as a notice that the software has been digitally signed with a certificate issued several months ago. (Sophos has made the certificate authority aware of the abuse).
BazarBackdoor, akin to BazarLoader, communicates over HTTPS but is a distinctive malicious program due to the amount of noisy traffic the backdoor generates. BazarBackdoor is able to exfiltrate system data and has been linked to Trickbot, as well as the potential deployment of Ryuk ransomware.
8220;Malware that comes in application installer bundles is not commonly seen in attacks,8221; Brandt said. 8220;Unfortunately, now that the process has been demonstrated, it8217;s likely to attract wider interest. Security companies and software vendors need to have the protection mechanisms in place to detect and block it and prevent the attackers from abusing digital certificates.8221;