'Call me back': manipulative attackers leverage Windows 10 to push malware

Attempting to push BazarBackdoor malware, threat actors create a false sense of workplace urgency so victims would prioritize speed over alertness.

A highly targeted spam campaign uses malicious emails to abuse appxbundle format, used by the Windows 10 App installer, researchers at SophosLabs discovered.

Unfortunately for them, threat actors targeted security researchers that are well aware of common tactics hackers use to breach companies. However, less savvy employees could easily be tricked by a well-crafted attack attempt.

Last week SophosLab noted that several peculiar emails reached some of the employees. Later they learned, that malicious actors sent similar emails to other businesses all over the globe.

The payloads were delivered, abusing a relatively novel mechanism. Hackers used adobe's name to trick the victims into running Windows 10 App installer.

Devious tactics

According to SophosLabs, threat actors crafted malicious emails with human psychology in mind. The subject of the email contained the name of the recipient followed by 'call me back.' The message itself contained a prompt for rapid action due to possible misconduct.

"I am on my way to the Sophos office. Why you didn't inform us about Customer Complaint (in PDF) on you? Please call me back now," threat actors wrote in an email.

The message is crafted to make the victims worry about misconduct or a cover-up, prompting them to act fast. The 'Customer Complaint (in PDF)' part of the message contains a link that leads to a website named 'AdobeView' with a 'Preview PDF' message.

Researchers found that following the 'Preview PDF' message does not lead a victim to a specific place online but triggers the browser to invoke a tool used by the Windows Store application, called AppInstaller.exe, to download and run whatever's on the other end of that link.

The message itself contains a link that has 'AdobeView' and 'Windows' names in it, likely to foster a sense of trustworthiness. Following the on-screen messages, victims are led to another pop-up screen asking whether they want to 'Install Adobe PDF Component.'

Which would make perfect sense if the victim was rushing to read a possible complaint by the client, they supposedly tried to cover up.The install, however, delivers 'Adobe_1.7.0.0_x64.appx' executable file that contains the malware. Afterward, several separate processes begin that fully deploy BazarBackdoor malware on a victims' device.

According to the researchers, the malware uses 'cookies' to transmit information to the server and receives commands from the C2 in the form of one or more 'Set-Cookie' response headers.

"Like most backdoor programs of this sort, this malware deliberately includes a function to download and install yet more malware. So, the danger of attacks like this is that although an infection may look and feel like the end of an attack chain, it is really just the beginning of the next one," Paul Ducklin, a principal research scientist at Sophos, said.

Here to stay

Even though a tactic to send malware in the AppX package is relatively new, researchers at SophosLabs are convinced attackers will employ the same tactic in the future.

"Malware that comes in application installer bundles is not commonly seen in attacks. Unfortunately, now that the process has been demonstrated, it's likely to attract wider interest," Andrew Brandt, principal researcher at Sophos, said.

The critical problem is that apps are supposed to be digitally signed with certificates. Still, researchers found no mechanism to check whether what's on the certificate matches the code it's supposed to certify.

Now, the mechanism only validates whether the code contains an authentic digital certificate. Researchers believe there should be a way to check whether the certificate has anything to do with the organization behind the program.

Novel malware deployment tactics continue to baffle security experts as almost a third of detected threats were previously unknown. The high volume of new threats is explained by the widespread use of packers and obfuscation techniques by attackers seeking to evade detection.

More from CyberNews

Diamond Comics Distributors hit by ransomware attack

Robinhood hack: data of seven million investors stolen by threat actors

Smart clothing: should you be worried about your privacy?

Post-Covid office: half empty and based in the clou

Unregulated cryptocurrencies fuel ransomware and malicious crypto mining

Subscribe to our newsletter