“Call me back”: cybercriminals abuse Windows 10 for malware delivery
Recently, a malspam campaign was identified that exploits a novel distribution mechanism for malware delivery: appxbundle file types (utilized by Windows 10 App Installer – report).
Attack Description
In the malware campaigns covered in the report, the email subject line contains the recipient’s name followed by “Call me back”. The email body presents a message similar to the following:
The malicious email link directs to a web page named “AdobeView” containing a button for PDF file preview.
Upon clicking “Preview”, the AppInstaller.exe utility is invoked—the tool Windows Store uses to download and execute any content located at the end of the link:
The installer downloads and executes the file “Adobe_1.7.0.0_x64.appx“, which contains commands for installing the Bazaloader malware on the victim’s system. This attack chain leverages T1190 (Exploit Public-Facing Application) and T1505.003 (Web Shell) techniques to establish initial access and persistence. Our Cyber Threat Intelligence operations tracked command-and-control communications originating from this sample.
This Bazaloader sample communicates with command-and-control servers through the use of cookies.
Indicators of Compromise – IOC
- Adobe_1.7.0.0_x64.appx
- sha-256 a5ce2bdd42fb0c9f51e218c879cc1d492a02cc096b3f0776482c98a63f6a3061
- appx file dropper URL
- adobeview.z13.web.core.windows.net/report.html
- C2
- dfgerta.com/segment/billion
- hastrama.com/segment/billion
