[MART] - Daily Diary #388 - Windows 10 targeted by 'call me back' attack

CTAS-MAT ctas-mat at appgate.com
Thu Nov 11 21:18:52 UTC 2021


Hello,
I hope everyone is doing well!

Below is the entry for today.

11/11/2021 - Diary entry #388

This week a new campaign of BazarLoader was found abusing Windows 10 App Installer.

The campaign, following the known pattern of BazarLoader, is delivered through an e-mail spam. The e-mail uses social engineering to convince the targets to click on a supposed PDF link, embedded in the e-mail text. On opening the link, a fake PDF preview loading screen is displayed, asking the user to click a button to load the PDF. The button invokes a ms-appinstaller link, that calls AppInstaller.exe, native in Windows 10, to download and run the payload in that link. It's important to notice that after clicking the button, Windows raises an alert saying that the website wants to invoke AppInstaller, but users unaware of the scam can easily allow the execution of the malicious payload. The AppInstaller then opens a pop-up, asking for the installation of the payload disguised as an AdobePDF component.

AppInstaller is a trusted component inside Windows 10, used by the Microsoft Store to install bought applications.

BazaarLoader was already covered in our Daily Diary #131. It's developed by the Wizard Spider group, also responsible for TrickBot and ContiRansomware (successor of Ryuk Ransomware). This campaign, just like the others from BazaarLoader, can deploy Trickbot or other Botnet malware to exfiltrate data and spread through the network, and possibly end up deploying a Ransomware attack.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Duarte Domingues
Security Researcher
Appgate

E: felipe.duarte at appgate.com<mailto:felipe.duarte at appgate.com>
O: +55 19 98840 2509

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20211111/a11bafe3/attachment.htm>


More information about the MART mailing list