Just when you thought threat actors couldn’t find another way to launch a dropper, a new method has surfaced that takes advantage of native functionality found in Windows 10.
If you’ve been following phishing attacks at all over the last few years, you’re very aware of threat actors using methods like Office app macros to launch a malware dropper or installer, or leveraging a PDF to run a script, etc.
But a new technique has been identified by security researchers at Sophos that invokes the Windows App Installer from within Windows 10 to be the catalyst for infecting a machine with malware.
According to Sophos, the email targeted Sophos employees purporting to be from another Sophos employee, linking to a PDF within the email asking “Why didn’t you inform us about the Customer Complaint on you?” and requesting that the recipient call them back now. Because there is no phone number to call, the logical next step is to click the link and see the complaint.
The link takes victims to a windows.net site with a “Preview PDF” button and, when clicked, the really trick stuff starts. As you can see pointed out in the image below, the preview button includes a link that begins with ms-appinstaller: that will trigger the Windows Store application, AppInstaller.exe, to download and run whatever’s on the other end of that link.
Source: Sophos Labs
The installer is made to look like an Adobe PDF “component” in the hopes that users will see it as being benign (and that, possibly, the downloading of the complaint “PDF” simply triggered an update, etc.). What’s actually installed is the BazarBackdoor malware.
This is a pretty ingenious way to trick users into installing malware on a few fronts. It seems the cybercriminals are stepping up their game – which means you need to as well with Security Awareness Training to educate users to not engage such emails in the first place; anything unexpected should be interpreted as being potentially hostile.