Skip to content

At The Identity Organisation, we're here to help!

    Your privacy is important to us, and we want to communicate with you in a way which has your consent and which is in line with UK Law on data protection. As a result of a change in UK law on 25th May 2018, by providing us with your personal details you consent to us processing your data in line with current GDPR requirements.

    Here is where you can review our Privacy & GDPR Statement

    To remove consent at any time, please e-mail info@tidorg.com with the word "unsubscribe" as the subject.

    +44 (0) 1628 308038 info@tidorg.com

    Ingenious New Attack Technique Uses Windows Store to Install Malware

    Ingenious New Attack Techniques

    Just when you thought threat actors couldn’t find another way to launch a dropper, a new method has surfaced that takes advantage of native functionality found in Windows 10.

    If you’ve been following phishing attacks at all over the last few years, you’re very aware of threat actors using methods like Office app macros to launch a malware dropper or installer, or leveraging a PDF to run a script, etc.

    But a new technique has been identified by security researchers at Sophos that invokes the Windows App Installer from within Windows 10 to be the catalyst for infecting a machine with malware.

    According to Sophos, the email targeted Sophos employees purporting to be from another Sophos employee, linking to a PDF within the email asking “Why didn’t you inform us about the Customer Complaint on you?” and requesting that the recipient call them back now. Because there is no phone number to call, the logical next step is to click the link and see the complaint.

    The link takes victims to a windows.net site with a “Preview PDF” button and, when clicked, the really trick stuff starts. As you can see pointed out in the image below, the preview button includes a link that begins with ms-appinstaller: that will trigger the Windows Store application, AppInstaller.exe, to download and run whatever’s on the other end of that link.

    ms-appinstaller-object-link

    Source: Sophos Labs

    Simply brilliant.

    The installer is made to look like an Adobe PDF “component” in the hopes that users will see it as being benign (and that, possibly, the downloading of the complaint “PDF” simply triggered an update, etc.). What’s actually installed is the BazarBackdoor malware.

    This is a pretty ingenious way to trick users into installing malware on a few fronts. It seems the cybercriminals are stepping up their game – which means you need to as well with Security Awareness Training to educate users to not engage such emails in the first place; anything unexpected should be interpreted as being potentially hostile.


    Request A Demo: Security Awareness Training

    products-KB4SAT6-2-1

    New-school Security Awareness Training is critical to enabling you and your IT staff to connect with users and help them make the right security decisions all of the time. This isn’t a one and done deal, continuous training and simulated phishing are both needed to mobilize users as your last line of defense. Request your one-on-one demo of KnowBe4’s security awareness training and simulated phishing platform and see how easy it can be!

    PS: Don’t like to click on redirected buttons? Cut & Paste this link in your browser: https://info.knowbe4.com/one-on-one-demo-partners?partnerid=001a000001lWEoJAAW

    Sign Up to the TIO Intel Alerts!

    Back To Top