A family of malware known as BazazBackdoor Where BazarLoader is circulating at the moment. Indeed, this group of hackers has launched a new attack operation through a campaign of malicious spam. The campaign is spreading the virus using a new mechanism. This is the protocol appxbundle, used by the Windows 10 App installer.
According to SophosLabs researchers, it appears that this is not the only mechanism used in the campaign. In addition, as of last Thursday, November 4, 2021, some Sophos employees received emails regarding a complaint apparent from a client against them. The wording of the message was threatening.
According to the information in the email, it is from a responsible for the company. The sender directly addressed the various recipients by their name and that of the company.
The decrypted malware installation method
Once the recipient receives the email, they are prompted to click on a link contained in the message. For Sophos employees, the link took them to a website where the complaint was made.
Sophos researchers performed a careful analysis of the malware as well as the tactics used by the attackers. They published on SophosLabs Uncut the conclusions drawn from their analyzes. The page that appears after clicking on the link is ironic about the Adobe brand and asks users to click on a marked button “PDF preview”.
Unlike the other links, this button does not start with the prefix known to all « https:// ». Instead, it starts with « ms-appinstaller » and triggers by the browser the call of a tool called « AppInstaller.exe » in order to download and run it. The other end of the link is a file named « Adobe.appinstaller » which in turn redirects to another URL where there is a larger file and containing the malware. If the user agrees, the malware is installed.
A letter addressed directly to SophosLabs staff
Information in the emails suggests that they came from a company official. The sender directly addressed the various recipients by their name and that of the company.
Andrew Brandt, senior researcher at Sophos, explained that the malware that is found in installation packages are not often used in computer break-ins.
As a precaution, SophosLabs has published indicators of compromise relating to this cybercrime attack on their Github page. Microsoft, meanwhile, has disabled pages hosting the malicious files.
.
Source From: Fredzone
I am a technology author with 8 years of experience in journalism. My writing covers the latest technology advancements and trends, drawing on my expertise in news journalism and social media platforms. I have contributed to major media outlets such as The New York Times, The Wall Street Journal, and Reuters.
