HPE says hackers breached Aruba Central using stolen access key
FBI warns of Iranian hackers looking to buy US orgs’ stolen data
Telnyx is the latest VoIP provider hit with DDoS attacks
NUCLEUS:13 TCP security bugs impact critical healthcare devices
The new Microsoft Store is now rolling out to Windows 10 PCs
Windows 10 App Installer abused in BazarLoader malware attacks
BotenaGo botnet targets millions of IoT devices with 33 exploits
How to fix the Windows 0x0000007c network printing error
Qualys BrowserCheck
STOPDecrypter
AuroraDecrypter
FilesLockerDecrypter
AdwCleaner
ComboFix
RKill
Junkware Removal Tool
How to remove the PBlock+ adware browser extension
Remove the Toksearches.xyz Search Redirect
Remove the Smashapps.net Search Redirect
Remove the Smashappsearch.com Search Redirect
Remove Security Tool and SecurityTool (Uninstall Guide)
How to remove Antivirus 2009 (Uninstall Instructions)
How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo
How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller
Locky Ransomware Information, Help Guide, and FAQ
CryptoLocker Ransomware Information Guide and FAQ
CryptorBit and HowDecrypt Information Guide and FAQ
CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ
How to make the Start menu full screen in Windows 10
How to install the Microsoft Visual C++ 2015 Runtime
How to open an elevated PowerShell Admin prompt in Windows 10
How to Translate a Web Page in Google Chrome
How to start Windows in Safe Mode
How to remove a Trojan, Virus, Worm, or other Malware
How to show hidden files in Windows 7
How to see hidden files in Windows
eLearning
IT Certification Courses
Gear + Gadgets
Security
Windows 10 App Installer abused in BazarLoader malware attacks
The TrickBot gang operators are now abusing the Windows 10 App Installer to deploy their BazarLoader malware on the systems of targets who fall victim to a highly targeted spam campaign.
BazarLoader (aka BazarBackdoor, BazaLoader, BEERBOT, KEGTAP, and Team9Backdoor) is a stealthy backdoor Trojan commonly used to compromise the networks of high-value targets and sell access to compromised assets to other cybercriminals.
It has also been used to deliver additional payloads, such as Cobalt Strike beacons that help threat actors access their victims’ network and ultimately deploy dangerous malware, including but not limited to Ryuk ransomware.
In the recent campaign spotted by SophosLabs Principal Researcher Andrew Brandt, the attackers’ spam emails induce a sense of urgency by using threatening language and impersonating a company manager who asks for more info on a customer complaint about the email recipient.
This complaint is supposedly available for review as a PDF from a site hosted on Microsoft’s own cloud storage (on *.web.core.windows.net domains).
To add to the ruse, those on the receiving end of this spam campaign are double baited into installing the BazarLoader backdoor using an adobeview subdomain that further adds credibility to the scheme.
“The attackers used two different web addresses for hosting this fake ‘PDF download’ page throughout the day,” Brandt said.
“Both pages were hosted in Microsoft’s cloud storage, which perhaps lends it a sense of (unearned) authenticity, and both the .appinstaller and .appbundle files were hosted in the root of each webpage’s storage.”
However, instead of pointing to a PDF document, the “Preview PDF” button on the phishing landing site opens a URL with an ms-appinstaller: prefix.
When clicking the button, the browser will first show a warning asking the victim if they want to allow the site to open App Installer. However, most people will likely ignore it when seeing an adobeview.*.*.web.core.windows.net domain in the address bar.
Clicking “Open” in the warning dialog will launch Microsoft’s App Installer — a built-in app since the release of Windows 10 version 1607 in August 2016 — to deploy the malware on the victim’s device in the form of a fake Adobe PDF Component, delivered as an AppX app bundle.
Once launched, App Installer will first start downloading the attackers’ malicious .appinstaller file and a linked .appxbundle file containing the final payload named Security.exe nested within a UpdateFix subfolder.
The payload downloads and executes an additional DLL file which is launched and spawns a child process which in turn spawns other child processes, eventually ending the string with the injection of the malicious code into a headless Chromium-based Edge browser process.
After getting deployed on the infected device, BazarLoader will begin harvesting system information (e.g., hard disk, processor, motherboard, RAM, active hosts on the local network with public-facing IP addresses).
This information is sent to the command-and-control server, camouflaged as cookies delivered through HTTPS GET or POST headers.
“Malware that comes in application installer bundles is not commonly seen in attacks. Unfortunately, now that the process has been demonstrated, it’s likely to attract wider interest,” Brandt said.
“Security companies and software vendors need to have the protection mechanisms in place to detect and block it and prevent the attackers from abusing digital certificates.”
You can find indicators of compromise (IoCs) related to this BazarLoader campaign, including malware sample hashes, command-and-control server, and source URLs, on SophosLabs’ Github page.
Microsoft took down the pages used by the attackers to host malicious files in these attacks on November 4, after being notified by Sophos.
TrickBot teams up with Shatak phishers for Conti ransomware attacks
AMD fixes dozens of Windows 10 graphics driver security bugs
Phishing emails deliver spooky zombie-themed MirCop ransomware
Windows 10 21H1 now in broad deployment, available to everyone
Microsoft: Windows KB5006674, KB5006670 updates break printing
Not a member yet? Register Now
HPE says hackers breached Aruba Central using stolen access key
Microsoft: New security updates trigger Windows Server auth issues
To receive periodic updates and news from BleepingComputer, please use the form below.
Terms of Use Privacy PolicyEthics Statement
Copyright @ 2003 – 2021 Bleeping Computer® LLC – All Rights Reserved
Not a member yet? Register Now
Read our posting guidelinese to learn what content is prohibited.

source

You May Also Like

Malicious Android app steals Malaysian bank credentials, MFA codes

Former Ubiquiti dev charged for trying to extort his employerNew malware hides…

Microsoft: Windows 11 built-in apps might not open on some systems

CISA orders federal agencies to fix hundreds of exploited security flawsUS sanctions…

State-sponsored hackers abuse Slack API to steal airline data

Microsoft December 2021 Patch Tuesday fixes 6 zero-days, 67 flawsNew ransomware now…

The Week in Ransomware – December 17th 2021 – Enter Log4j

TellYouThePass ransomware revived in Linux, Windows Log4j attacksCredit card info of 1.8…