Hey everyone. @threatresearch here with a little news about how my day's been going.
Seems a lot of people are dealing with an outbreak of #BazarBackdoor that starts with an email that sounds like it's coming from someone who is annoyed you didn't report a complaint about you.
We received a LOT of samples of the same-looking email from people who, correctly, recognized this as a phishy-looking spam. The "complaint" was purportedly linked in the email to a PDF.
Narrator: It wasn't a PDF
Rather, the link leads to one of several pages hosted in Microsoft's cloud hosting space. The pages all looked like this one, with a link to download the "Preview PDF" but if you look closer at the link, you'll see it's an "ms-appinstaller:" link. That's new!
Here's what I hadn't seen before: If you click the link, instead of downloading a more conventional .exe payload, the site delivers a Windows 10 AppXBundle file. This is the native format from the Windows App Store. Apparently, you can also get them by invoking the installer.
In a test system, I (of course) clicked the Install button.
Please don't do this, yourself.
The browser downloads and immediately invokes AppInstaller on the Windows 10 system, which presents you with a very official-looking installer screen. It even has an Adobe logo-it's fake
If, for any reason, you happen to click "Install," the AppInstaller component will run and, well, it's game over.
Really, please, don't do this, not unless you're intentionally getting an app directly from the Windows Store.
Here's what's happening behind the scenes:
First, the AppInstaller.exe component runs the contents of the .appxbundle file, which (to be fair) looks pretty innocuous at this stage.
AppInstaller then takes its cues from the contents of the .appxbundle file, which in this case instructs the system to drop a DLL into the %temp% directory and then register it using Regsvr32.exe. This really starts the ball rolling.
(Username's blocked to protect the victim)
Here's where it starts to get weird.
That initial invocation of regsvr32 triggers the Windows command shell to run the same command, again, but this time it uses timeout.exe to pass the command to regsvr32, and it adds two alphabet-salad function names to the end of the commands
And then it gets weirder.
The second iteration invokes regsvr32 a THIRD time, this time by passing the command through choice.exe. It also appends "& exit" to the end of the command line.
Oh, it's just getting warmed up.
So you can see there's a whole chain of child processes, spawned by the previous child process, which runs for a bit then terminates itself.
By the end of all of this, it has injected itself into the memory space of the Edge browser (msedge.exe)
Once it's running hooked inside of an instance of Edge, it begins profiling the system by running a bunch of PowerShell commands. Remember, all this is happening behind the scenes.
Unless you were looking at your task manager you wouldn't notice it, probably even then.
The loader also invoked this pretty long PowerShell command to check one or more of the listed web addresses (at random) and use them to determine your public-facing IP address. This is too long for Process Explorer to show, so I pasted the command here so you can see it all.
Here, it invoked PowerShell three more times to query the disk sizes of the hard drives, the motherboard manufacturer, and the physical RAM installed on the system. All were spawned as child processes of Edge, so I'm thinking it's pretty firmly wedged in there.
The malware's c2 addresses all used the URI path /segment/billion in the sample I ran. Other folks in the industry shared that samples also used the URI paths of /recite/drink or /mission/revolt or /discreet/marble or /note/actual
Some of the #BazarBackdoor c2 domains seen today:
kortynab[.]com
holygomar[.]com
hastrama[.]com
dfgerta[.]com
karatyvac[.]com
holygomar[.]com
There are probably more. These have been added to the SophosXL reputation service so they're blocked by endpoint and firewall.
Both the downloader and the backdoor components will be detected as Mem/Bazarld-c in our Intercept X endpoint product.
You know what also works, even if you don't have a Sophos product?
Don't click links that look like this.
/end
• • •
Missing some Tweet in this thread? You can try to
force a refresh
Every year, Sophos X-Ops releases its annual threat report. This year, however, we took a slightly different approach. Rather than looking at the landscape as a whole, we zoned in on the biggest cybercrime threats to SMBs.
A look at SophosLabs telemetry showed that the number one challenge for SMBs is data protection—which isn’t too surprising. Data and credential theft have become increasingly common, with attackers using the data for ransomware or unauthorized remote access.
Nearly 50% of all malware detections for SMBs were keyloggers/spyware/stealers. We also found multiple advertisements on the dark web from IABs specifically targeting SMBs or selling access to SMB networks.
Threat actors often use Bring Your Own Vulnerable Driver (BYOVD) attacks – where they abuse vulnerable drivers to gain privileges on a compromised machine – to terminate EDR solutions.
Lots of drivers exist that can be abused in this way, and several threat actor groups (we've previously reported on Robbinhood, BlackByte, and other ransomware actors) routinely use this technique.
One BYOVD tool that got some attention in 2023 was Terminator. A threat actor was selling this tool to other criminals on underground forums. Researchers found that Terminator used a legitimate signed driver (called Zemana Anti Malware, or ZAM).
We’ve seen three more incidents of attackers attempting to move deeper into customer networks after exploiting a vulnerability in ConnectWise' ScreenConnect server. Two appeared to be from the same threat actor. /1
In one, the attacker attempted to execute some commands for reconnaissance on the ScreenConnect server, using PowerShell to try to run getlocaluser (to obtain a list of local user accounts on the server) and ipconfig (to get the local network interface information). /2
The actor behind the other incidents was much more persistent. In the second incident, they first attempted to disable Sophos endpoint protection. Then they attempted to install a Cloudflare Tunnel client to be used as a backdoor, downloading it from Cloudflare’s GitHub page. /3
While the world digests what, precisely, the LockBit takedown this week entails and how much it’s likely to kneecap the ransomware gang, we’d just like to point out how prevalent the family is – literally, what Conti was to 2021, LockBit was to 2023. 1/11
Here’s a graphic from our upcoming Active Adversary Report , showing precisely how, as seen by the Sophos X-Ops Incident Response team, Conti in 2021 and LockBit in 2023 represented literally double the volume of infections of the nearest “competitors .” 2/11
Back then, Conti was so widespread that even with its shutdown in early 2022, it *still* accounted for nearly 5% of the ransomware cases the IR team tackled. 3/11
A few weeks ago, we saw a challenge posted online where a technical user was looking for the most elaborate, complex Regular Expression (eg., regex) that someone uses on a regular basis for a practical reason.
We asked around our team of researchers, and we found what might be the largest, most complex regex anyone has ever seen: 272,816 UTF-8 characters in length, created for our Data Loss Prevention product.
The regex is designed to detect postal addresses in files or messages transmitted over the internet, and the reason it is so long is that it can detect a large variety of international post address formats, using local languages and character sets.
Last year, Sophos X-Ops uncovered a growing number of "liquidity mining" scams—a type of cryptofraud that takes advantage of mobile crypto wallets and decentralized finance (DeFI) apps. While we saw dozens of these last year, we're now seeing 100s of more sophisticated scams. /1
While the scams we first encountered were fairly simple in their attempts to convince targets to join their fraudulent “mining pools”, we have seen liquidity mining scams adopt Sha Zhu Pan (pig butchering) tactics to siphon funds from their victims. /2
Real liquidity pools involve creating a pool of different types of cryptocurrencies for trades, and participants receive a percentage of every fee paid for a trade. Fake pools pretend to operate in the same way—until the scammers pull all the funds from the victims’ wallets./3