Hey everyone. @threatresearch here with a little news about how my day's been going.
Seems a lot of people are dealing with an outbreak of #BazarBackdoor that starts with an email that sounds like it's coming from someone who is annoyed you didn't report a complaint about you.
We received a LOT of samples of the same-looking email from people who, correctly, recognized this as a phishy-looking spam. The "complaint" was purportedly linked in the email to a PDF.
Narrator: It wasn't a PDF
Rather, the link leads to one of several pages hosted in Microsoft's cloud hosting space. The pages all looked like this one, with a link to download the "Preview PDF" but if you look closer at the link, you'll see it's an "ms-appinstaller:" link. That's new!
Here's what I hadn't seen before: If you click the link, instead of downloading a more conventional .exe payload, the site delivers a Windows 10 AppXBundle file. This is the native format from the Windows App Store. Apparently, you can also get them by invoking the installer.
In a test system, I (of course) clicked the Install button.
Please don't do this, yourself.
The browser downloads and immediately invokes AppInstaller on the Windows 10 system, which presents you with a very official-looking installer screen. It even has an Adobe logo-it's fake
If, for any reason, you happen to click "Install," the AppInstaller component will run and, well, it's game over.
Really, please, don't do this, not unless you're intentionally getting an app directly from the Windows Store.
Here's what's happening behind the scenes:
First, the AppInstaller.exe component runs the contents of the .appxbundle file, which (to be fair) looks pretty innocuous at this stage.
AppInstaller then takes its cues from the contents of the .appxbundle file, which in this case instructs the system to drop a DLL into the %temp% directory and then register it using Regsvr32.exe. This really starts the ball rolling.
(Username's blocked to protect the victim)
Here's where it starts to get weird.
That initial invocation of regsvr32 triggers the Windows command shell to run the same command, again, but this time it uses timeout.exe to pass the command to regsvr32, and it adds two alphabet-salad function names to the end of the commands
And then it gets weirder.
The second iteration invokes regsvr32 a THIRD time, this time by passing the command through choice.exe. It also appends "& exit" to the end of the command line.
Oh, it's just getting warmed up.
So you can see there's a whole chain of child processes, spawned by the previous child process, which runs for a bit then terminates itself.
By the end of all of this, it has injected itself into the memory space of the Edge browser (msedge.exe)
Once it's running hooked inside of an instance of Edge, it begins profiling the system by running a bunch of PowerShell commands. Remember, all this is happening behind the scenes.
Unless you were looking at your task manager you wouldn't notice it, probably even then.
The loader also invoked this pretty long PowerShell command to check one or more of the listed web addresses (at random) and use them to determine your public-facing IP address. This is too long for Process Explorer to show, so I pasted the command here so you can see it all.
Here, it invoked PowerShell three more times to query the disk sizes of the hard drives, the motherboard manufacturer, and the physical RAM installed on the system. All were spawned as child processes of Edge, so I'm thinking it's pretty firmly wedged in there.
The malware's c2 addresses all used the URI path /segment/billion in the sample I ran. Other folks in the industry shared that samples also used the URI paths of /recite/drink or /mission/revolt or /discreet/marble or /note/actual
Some of the #BazarBackdoor c2 domains seen today:
kortynab[.]com
holygomar[.]com
hastrama[.]com
dfgerta[.]com
karatyvac[.]com
holygomar[.]com
There are probably more. These have been added to the SophosXL reputation service so they're blocked by endpoint and firewall.
Both the downloader and the backdoor components will be detected as Mem/Bazarld-c in our Intercept X endpoint product.
You know what also works, even if you don't have a Sophos product?
Don't click links that look like this.
/end
• • •
Missing some Tweet in this thread? You can try to
force a refresh
NEW: Conti affiliates use ProxyShell Exchange exploit in ransomware attacks ⚠️
In one of the ProxyShell-based attacks observed by Sophos, the Conti affiliates managed to gain access to the target’s network and set up a remote web shell in under a minute...
1/14
ProxyShell represents an evolution of the ProxyLogon attack method. In recent months, the exploit has become a mainstay of ransomware attacker playbooks, including those deploying the new LockFile ransomware first seen in July. 2/14
As attackers have gained experience with the techniques, their dwell time before launching the final ransomware payload on target networks has decreased from weeks to days to hours. 3/14
NEW: Fake pirated software sites serve up malware droppers as a service 🏴☠️
During our recent investigation into an ongoing Raccoon Stealer campaign, we found the malware was being distributed by a network of websites acting as a “dropper as a service,”... 1/00
... serving up a variety of other malware packages—often bundling multiple unrelated malware together in a single dropper. These malware included an assortment of clickfraud bots, other information stealers, and even ransomware. 2/00
While the Raccoon Stealer campaign we tracked on these sites took place between January and April, 2021, we continue to see malware and other malicious content distributed through the same network of sites. 3/00
BlackMatter ransomware emerges from the shadow of DarkSide
1/12
In late July, a new RaaS appeared on the scene.
Calling itself BlackMatter, the ransomware claims to fill the void left by DarkSide and REvil – adopting the best tools and techniques from each of them, as well as from the still-active LockBit 2.0. 2/12
We decided to take a closer look at the malware and the claims being made by the new adversary to see what’s really going on... 3/12
Relentless REvil, revealed: RaaS as variable as the criminals who use it
No two criminal groups deploy the ransomware-as-a-service (RaaS), also known as Sodinokibi, in exactly the same way...
(a thread) 1/11
As attacks involving RaaS malware, including REvil, increasingly have generated attention, we wanted to pull together a common body of our knowledge about the ransomware itself, and the variety we observe in attack methods employed by the criminals who lease the software. 2/11
We've also reviewed reports from Sophos Rapid Response about attacks involving Sodinokibi/REvil where the MTR team were hired to provide incident response and cleanup. From these detailed analyses, we were able to develop a picture of a common malware being deployed. 3/11
NEW on Patch Tuesday: Six in-the-wild exploits patched in Microsoft’s June security fix release
Security fixes address five critical vulnerabilities, including scripting and Defender bugs—and one actively exploited flaw in MSHTML...
(a thread) 1/7
The June security update drop has a mere 49 new vulnerability fixes, plus five synchronized fixes delivered by Adobe.
Only five of Microsoft’s bug fixes are rated as critical. But that doesn’t lessen the importance of applying patches as soon as possible. 2/7
All five critical patches are for bugs that are potentially exploitable for remote code execution (RCE). And one of them, a vulnerability in the Windows MSHTML “platform”, is already being exploited. 3/7
NEW: AMSI bypasses remain tricks of the malware trade
Malware developers continue to try to sabotage or evade Microsoft’s Anti-Malware Software Interface in “fileless” and living-off-land attacks...
(a thread) 1/13
As Windows 10 and the latest generation of Windows Server platforms have risen to prominence, malware developers and malicious actors have increasingly aimed to evade detection by taking out those platforms’ anti-malware traffic cop: Microsoft’s Antimalware Scan Interface. 2/13
AMSI, introduced in 2015, provides a way for software to talk to security products, requesting scans of files, memory, or streams for malicious payloads in a vendor-agnostic way. 3/13