Windows 10 App Installer Abused in BazarLoader Malware Attacks


TrickBot gang operators are now abusing the Windows 10 app installer to distribute their BazarLoader malware on target systems that fall victim to a highly targeted spam campaign.

BazarLoader (aka BazarBackdoor, BazaLoader, BEERBOT, KEGTAP and Team9Backdoor) is a Stealthy backdoor Trojan commonly used to compromise networks of high-value targets and sell access to compromised resources to other cybercriminals.

It has also been used to deliver additional payloads, such as Cobalt Strike beacons that help threat actors access their victims’ network and ultimately distribute malicious malware, including but not limited to Ryuk ransomware.

In the recent campaign identified by principal investigator of SophosLabs Andrew Brandt, attacker spam emails induce a sense of urgency by using threatening language and impersonating a business executive who asks for more information about a customer complaint about the email recipient.

BazarLoader phishing emails
BazarLoader Phishing Email (SophosLabs)

This complaint is allegedly available for review as a PDF from a site hosted on Microsoft’s cloud storage (at * domains).

To add to the ploy, those who are at the end of this spam campaign are doubly tricked into installing the BazarLoader backdoor using a adobeview subdomain which adds further credibility to the scheme.

“The attackers used two different web addresses to host this fake PDF download page during the day,” Brandt said.

“Both pages were hosted in Microsoft’s cloud storage, which perhaps lends a sense of (unearned) authenticity, and both the .appinstaller and .appbundle files were hosted in the storage root of each web page.”

BazarLoader App Installer_waning
Falling App Installer (SophosLabs)

However, instead of pointing to a PDF document, the “Preview PDF” button on the phishing target site opens a URL with a ms-appinstaller: prefix.

When the button is clicked, the browser will first show a warning asking the victim if they want to allow the site to open the App Installer. However, most people will likely ignore this when they see an adobeview. *.* domain in the address bar.

Clicking “Open” in the warning dialog will start Microsoft app installer – an app integrated since the release of Windows 10 version 1607 in August 2016 – to distribute the malware on the victim’s device in the form of a fake Adobe PDF component, provided as an AppX app bundle.

Once launched, the App Installer will begin downloading the attackers malicious .appinstaller file and a linked .appxbundle file containing the final payload named Security.exe nested within a Update correction subfolder.

BazarLoader fake Adobe PDF component
BazarLoader fake Adobe PDF component (SophosLabs)

The payload downloads and executes an additional DLL file that starts and spawns a child process which in turn spawns other child processes, eventually finishing the string by injecting the malicious code into a Chromium-based headless Edge browser process.

After being deployed to the infected device, BazarLoader will start collecting system information (e.g. hard drive, processor, motherboard, RAM, active hosts on the local network with public IP addresses).

This information is sent to the command and control server, disguised as cookies provided via HTTPS GET or POST headers.

“Malware that arrives in application installation bundles is not commonly seen in attacks. Unfortunately, now that the process has been demonstrated, it is likely to attract wider interest,” Brandt said.

“Security companies and software vendors need to have security mechanisms in place to detect and block it and prevent attackers from misusing digital certificates.”

You can find Indicators of Compromise (IoC) related to this BazarLoader campaign, including malware sample hashes, command and control servers, and source URLs, at SophosLabs Github page.

Microsoft removed the pages used by attackers to host malicious files in these attacks on November 4, after being notified by Sophos.


Please enter your comment!
Please enter your name here