BazarBackdoor now abuses Windows 10 app feature in 'call me back' attack

[LASER_oneXM]

Content source

https://www.zdnet.com/article/bazarloader-now-abuses-windows-10-app-feature-in-call-me-back-attack/

AppInstaller.exe has been twisted in a new form of phishing attack.

A Microsoft Windows 10 app feature is being abused in a new phishing campaign spreading the BazarBackdoor malware.

On Thursday, researchers from Sophos Labs said the attack was noticed after the cybersecurity firm's own employees were targeted with spam emails -- but rather than being run-of-the-mill, these emails were written with at least a basic level of social engineering.

One of the emails, sent by a "Sophos Main Manager Assistant," the non-existent "Adam Williams," demanded to know why a researcher hadn't responded to a customer's complaint. To make resolution easier, the email helpfully contained a .PDF link to the message.

However, the link was a trap and revealed a "novel" technique used to deploy the BazarBackdoor malware.

Sophos says that the company is, at the least, "unfamiliar" with this method, in which the Windows 10 App installer process is exploited to deliver malicious payloads.

 

[Andy Ful]

So far, it is a rare attack vector. But, this can change in the future. If one does not need to install MS Store Apps via the web browser then there is a simple tweak to disassociate URL:ms-appinstaller protocol via the reg tweak:

[HKEY_CLASSES_ROOT\ms-appinstaller]
@="URL:ms-appinstaller"
"!!!URL Protocol"=""

I simply renamed the original "URL Protocol" to "!!!URL Protocol".
This tweak does not impact installing Apps via MS Store.
The full functionality can be reverted by deleting the !!! before URL Protocol. This will restore the default registry data:

[HKEY_CLASSES_ROOT\ms-appinstaller]
@="URL:ms-appinstaller"
"URL Protocol"=""

The tweak can be tested by using a simple HTML file:

<html>
<body>
<H1> Install a package From Web</H1>
<BR>
Installing a package from Web is as simple as clicking the link below
<BR>
<BR>
<a href="ms-appinstaller:?source=https://"> Install a Package </a>
</body>
</html>

Normally it contains the link to the App installer (.appx, .msix, etc.). I used a fake and incomplete link "https://" to avoid unnecessary installation.


Edit
Please be very careful with Registry editing and always use the Export feature to save the original keys.

 

[wat0114]

From the link to the article, I see two opportunities for a reasonably educated end user on Internet and email security to avoid and prevent the execution of the malicious payload:

However, if you hovered over the link, the prefix "ms-appinstaller" is displayed.

The hovering of the mouse pointer can reveal suspicious looking links. This could be one of, if not the first, of red flags to the targeted user.

Victims are then asked to allow the installation of "Adobe PDF Component,"

This should be another, maybe more obvious, red flag.

 

[Andy Ful]

The problem is similar to macros in MS Office. If the user is a happy clicker or the attacker can convince the user that everything is OK, then the attack will be successful. For now, macros are very popular because the attacker does not have to use digitally signed files.

...
This should be another, maybe more obvious, red flag.

If the user can see that the file is trusted then the social engineering trick may work. Here is an example of legal trusted application:

In the attack from the article, there was no "Trusted App" note.

 

[wat0114]

If the user can see that the file is trusted then the social engineering trick may work. Here is an example of legal trusted application:

Interesting! Are trusted applications sometimes used in phishing campaigns?

There is a two part article with a detailed technical analysis on this backdoor here:

https://www.fortinet.com/blog/threat-research/new-bazar-trojan-variant-is-being-spread-in-recent-phishing-campaign-part-I

The malicious payload is a PE. I would think that the final line of defense, failing the victim's ability to spot suspicious message content, would be SRP rules in a utility like H_C for example

 

[Andy Ful]

Interesting! Are trusted applications sometimes used in phishing campaigns?

Yes (EXE, MSI files in highly targeted attacks), but I did not see UWP app installers.

 

[wat0114]

Yes (EXE, MSI files in highly targeted attacks), but I did not see UWP app installers.

Regardless, in my case at least, my suspicion would be aroused if I was required to "install" something - trusted or not - in order to view a message attachment or link. But you brought up a good point about happy clickers

 

[Andy Ful]

...
There is a two part article with a detailed technical analysis on this backdoor here:

https://www.fortinet.com/blog/threat-research/new-bazar-trojan-variant-is-being-spread-in-recent-phishing-campaign-part-I

The malicious payload is a PE. I would think that the final line of defense, failing the victim's ability to spot suspicious message content, would be SRP rules in a utility like H_C for example

SRP (H_C) would block opening this malware (EXE file with PDF icon).

 

[Gandalf_The_Grey]

SRP (H_C) would block opening this malware (EXE file with PDF icon).

And Simple Windows Hardening?

 

[Andy Ful]

And Simple Windows Hardening?

In such attacks, SWH relies on SmartScreen Application Reputation and AV protection. This is sufficient in the home environment. The targeted attacks (against Enterprises) would require additional protection layers, for example, the Defender ASR rules, Edge Application Guard, etc.

 

[Gandalf_The_Grey]

In such attacks, SWH relies on SmartScreen Application Reputation and AV protection. This is sufficient in the home environment. The targeted attacks (against Enterprises) would require additional protection layers, for example, the Defender ASR rules, Edge Application Guard, etc.

That's a no
H_C will not block opening this malware (EXE file with PDF icon) on basic recommended settings (+/- the same as SWH)?

 

[Andy Ful]

That's a no
H_C will not block opening this malware (EXE file with PDF icon) on basic recommended settings (+/- the same as SWH)?

H_C on Recommended Settings can block it. SWH can mitigate several Bazar variants which use shortcuts in the Windows Start menu Startup folder. Anyway, the attacks we talk about are not used against home users.

• Targeting the US and Europe: Bazar malware infections are specifically targeting professional services, healthcare, manufacturing, IT, logistics and travel companies across the US and Europe.

 

[NoVirusThanks]

On OSArmor v1.6.2 we added a new option "Block installation of Windows Apps via AppInstaller" that can be used to mitigate this attack:

Tested on Windows 10 and Windows 11 and works fine.

It can also be used to block installation of Windows Apps via *.appinstaller files:

May be useful to some users that want to restrict this Windows feature.

 

[Andy Ful]

So far, it is a rare attack vector. But, this can change in the future. If one does not need to install MS Store Apps via the web browser then there is a simple tweak to disassociate URL:ms-appinstaller protocol via the reg tweak:

[HKEY_CLASSES_ROOT\ms-appinstaller]
@="URL:ms-appinstaller"
"!!!URL Protocol"=""

On Windows 10 one can block the AppInstaller installations via the ExploitProtection feature by applying the "Disable Win32k system calls" mitigation to the executable Appinstaller.exe (choose " Add by program name").
The mitigation must be applied for the file name because the full path to the Appinstaller.exe changes after the update.
This method will also prevent another attack vector when the malicious file (App Package file: .appx, .appxbundle, .msix, .msixbundle) is an email attachment downloaded & opened by the user.
The installations/updates via Microsoft Store can run as usual.

 

[Andy Ful]

I found this note interesting:

Another threat actor group, responsible primarily for spreading a malware family called BazarLoader, has also taken a dramatically different approach to spreading its malware. The threat actors rely on massive volumes of spam email, but the spam doesn’t contain a file attachment or a malicious link. In fact, there may be nothing inherently malicious in their spam messages at all. Many of them appear to be invoices for large purchases, with no way to contact the putative retailer other than via a telephone number in the message. When the spam recipient calls the number, they end up speaking with someone who will perform a kind of psychological profiling on the caller, to determine whether they’re likely to be a real victim, or if they’re a security researcher or otherwise incredulous person. Over the course of making dozens of these calls, SophosLabs researchers found that the live humans who answer the telephones will eventually block the caller ID for numbers that call back multiple times. But if the caller is sufficiently convincing – which seems to require a combination of being moderately angry and acting like a bit of a neophyte with limited computer knowledge – then the operators who answer the calls walk the victims into a trap, guiding them to visit websites that deliver not a resolution, but rather a malicious, infectious file to open and run, often disguised as some sort of refund request. Threat actors like Gootloader and BazarLoader seem to be content with spreading their attacks widely and then taking a quality-filter approach to whatever makes it past the first stage of the attack. SophosLabs believes that this may represent a novel way for malware distributors to thwart malware researchers while giving themselves a greater degree of certainty that their malware is going to a subset of victims that may be more desirable than the general population. We expect to see a wider adoption of these techniques with some malware families going into 2022 and beyond.

https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2022-threat-report.pdf

Such attacks are a hybrid between strictly targeted attacks and widespread attacks. The initial part is widespread, but the second is targeted.

 

[Andy Ful]

Blocking .appx, .appxbundle, .msix, .msixbundle by adding these file types to the block list in H_C (or SRP manually via the registry) shall block:

1. ability to install UWP via browser sideloading
2. ability to execute UWP installer delivered via email attachment
3. ability to install UWP via a shortcut link (this is already covered with H_C lnk protection feature)

This can be done by blocking by SRP the directory:
c:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller*

The path with a wildcard is required because the path contains the version of AppInstaller and will be changed after the update.

4. ability to install (and update) UWP via the MS App Store

When SRP blocks AppInstaller by path, then installing/updating applications via Microsoft Store is not blocked. The same is true if one blocks the Appinstaller.exe via Exploit Protection.

The preferable method is to add Appinstaller.exe to Exploit Guard and apply "Disable Win32k system calls."

Yes, if one does not use SRP.

 

[Andy Ful]

...
Just FYI, desktop apps run using a URL scheme, run at a higher integrity than Microsoft Store installed apps.

Most desktop applications run by default with a Medium Integrity Level. The UWP apps can run with a Medium Integrity Lever or lower levels (like AppContainer).
In most cases, both desktop and UWP applications that run with Medium Integrity Level can be forced to "run as administrator" (High Integrity Level).