“Call me back”: cybercriminals abuse Windows 10 for malware delivery

Recently, a malspam campaign was identified that exploits a novel distribution mechanism for malware delivery: appxbundle file types (utilized by Windows 10 App Installer – report).

Attack Description

In the malware campaigns covered in the report, the email subject line contains the recipient’s name followed by “Call me back”. The email body presents a message similar to the following:

The malicious email link directs to a web page named “AdobeView” containing a button for PDF file preview.

Upon clicking “Preview”, the AppInstaller.exe utility is invoked—the tool Windows Store uses to download and execute any content located at the end of the link:

The installer downloads and executes the file “Adobe_1.7.0.0_x64.appx“, which contains commands for installing the Bazaloader malware on the victim’s system. This attack chain leverages T1190 (Exploit Public-Facing Application) and T1505.003 (Web Shell) techniques to establish initial access and persistence. Our Cyber Threat Intelligence operations tracked command-and-control communications originating from this sample.

This Bazaloader sample communicates with command-and-control servers through the use of cookies.

Indicators of Compromise – IOC

• Adobe_1.7.0.0_x64.appx
  • sha-256 a5ce2bdd42fb0c9f51e218c879cc1d492a02cc096b3f0776482c98a63f6a3061
• appx file dropper URL
  • adobeview.z13.web.core.windows.net/report.html
• C2
  • dfgerta.com/segment/billion
  • hastrama.com/segment/billion