A Microsoft Windows 10 app feature is being abused in a new phishing campaign spreading the BazarBackdoor malware.
On Thursday, researchers from Sophos Labs said the attack was noticed after the cybersecurity firm’s own employees were targeted with spam emails — but rather than being run-of-the-mill, these emails were written with at least a basic level of social engineering.
One of the emails, sent by a “Sophos Main Manager Assistant,” the non-existent “Adam Williams,” demanded to know why a researcher hadn’t responded to a customer’s complaint. To make resolution easier, the email helpfully contained a .PDF link to the message.
However, the link was a trap and revealed a “novel” technique used to deploy the BazarBackdoor malware.
Sophos says that the company is, at the least, “unfamiliar” with this method, in which the Windows 10 App installer process is exploited to deliver malicious payloads.
This is how it works: the phishing lure will direct potential victims to a website that uses the Adobe brand and asks users to click on a button to preview a .PDF file. However, if you hovered over the link, the prefix “ms-appinstaller” is displayed.
“In the course of running through an actual infection I