{"id":3375,"date":"2021-11-15T15:55:13","date_gmt":"2021-11-15T15:55:13","guid":{"rendered":"https:\/\/fortgale.com\/news\/?p=3375"},"modified":"2026-06-08T23:11:23","modified_gmt":"2026-06-08T23:11:23","slug":"call-me-back-windows-10-malware","status":"publish","type":"post","link":"https:\/\/fortgale.com\/blog\/emerging-threats\/call-me-back-windows-10-malware\/","title":{"rendered":"&#8220;Call me back&#8221;: cybercriminals abuse Windows 10 for malware delivery"},"content":{"rendered":"\n<p class=\"wp-block-image wp-block-paragraph\">Recently, a <strong>malspam<\/strong> campaign was identified that exploits a novel distribution mechanism for malware delivery: <strong>appxbundle<\/strong> file types (utilized by Windows 10 App Installer &#8211; <a href=\"https:\/\/news.sophos.com\/en-us\/2021\/11\/11\/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism\/\">report<\/a>).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Attack Description<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">In the malware campaigns covered in the report, the email subject line contains the recipient&#8217;s name followed by &#8220;Call me back&#8221;. The email body presents a message similar to the following:<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><img decoding=\"async\" width=\"747\" height=\"280\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/11\/image-21.png\" alt=\"\" class=\"wp-image-4046\" srcset=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2021\/11\/image-21.png 747w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2021\/11\/image-21-300x112.png 300w\" sizes=\"(max-width: 747px) 100vw, 747px\" loading=\"lazy\" \/><\/figure><\/div>\n\n\n\n<p class=\"wp-block-paragraph\">The malicious email link directs to a web page named &#8220;AdobeView&#8221; containing a button for PDF file preview.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Upon clicking &#8220;Preview&#8221;, the <strong>AppInstaller.exe<\/strong> utility is invoked\u2014the tool Windows Store uses to download and execute any content located at the end of the link:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The installer downloads and executes the file &#8220;<strong>Adobe_1.7.0.0_x64.appx<\/strong>&#8220;, which contains commands for installing the <strong>Bazaloader<\/strong> malware on the victim&#8217;s system. This attack chain leverages T1190 (Exploit Public-Facing Application) and T1505.003 (Web Shell) techniques to establish initial access and persistence. Our <a href=\"https:\/\/fortgale.com\/en\/cyber-threat-intelligence\/\">Cyber Threat Intelligence<\/a> operations tracked command-and-control communications originating from this sample.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><span>This Bazaloader sample communicates with command-and-control servers through the use of <\/span><strong>cookies<\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Indicators of Compromise \u2013 IOC<\/h3>\n\n\n\n<ul class=\"wp-block-list\"><li>Adobe_1.7.0.0_x64.appx<ul><li>sha-256 a5ce2bdd42fb0c9f51e218c879cc1d492a02cc096b3f0776482c98a63f6a3061<\/li><\/ul><\/li><li>appx file dropper URL<ul><li>adobeview.z13.web.core.windows.net\/report.html<\/li><\/ul><\/li><li>C2<ul><li>dfgerta.com\/segment\/billion<\/li><li>hastrama.com\/segment\/billion<\/li><\/ul><\/li><\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Cybercriminal abuse of Windows 10 features for callback-based malware delivery: phone-based social engineering, lure templates and detection considerations.<\/p>\n","protected":false},"author":1,"featured_media":4049,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[1583,3313,1585,3104,3315,3314],"class_list":["post-3375","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-emerging-threats","tag-bazarloader-it","tag-callback-phishing","tag-cookies-it","tag-social-engineering","tag-voice-phishing","tag-windows-10-abuse"],"_links":{"self":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/3375","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/comments?post=3375"}],"version-history":[{"count":2,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/3375\/revisions"}],"predecessor-version":[{"id":9912,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/3375\/revisions\/9912"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media\/4049"}],"wp:attachment":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media?parent=3375"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/categories?post=3375"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/tags?post=3375"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}