Search This Blog

Showing posts with label Windows10. Show all posts

BazarBackdoor Abused Windows 10 Application Feature in 'Call me back' Attack

 

In a new phishing campaign spreading the BazarBackdoor malware, a Microsoft Windows 10 app feature is being exploited.

On Thursday, Sophos Labs experts reported that the attack was detected when spam emails were sent to the cybersecurity firm's own employees — but these emails weren't just any spam; they were written with at least a minimal amount of social engineering. 

One of the emails, from the non-existent "Adam Williams," a "Sophos Main Manager Assistant," requested to know why a researcher hadn't addressed a customer's complaint. The email also included a PDF link to the message to make resolution easy. The link, however, was a hoax that demonstrated a "new" approach for spreading the BazarBackdoor malware. 

Sophos researcher Andrew Brandt explained, "In the course of running through an actual infection I realized that this construction of a URL triggers the browser [in my case, Microsoft's Edge browser on Windows 10], to invoke a tool used by the Windows Store application, called AppInstaller.exe, to download and run whatever's on the other end of that link." 

Sophos stated to be "unfamiliar" with this strategy, which involves exploiting the Windows 10 App installation process to transmit malicious payloads. The phishing bait directs prospective victims to a website that uses the Adobe brand and invites them to click on a button to preview a PDF file. When users move the mouse over the link, the prefix "ms-appinstaller" appears. 

This link then links to a text file called Adobe.appinstaller, which in turn points to a larger file called Adobe_.7.0.0_x64appbundle, which is hosted on a different URL. A warning notification appears and a notice that software has been digitally signed with a certificate issued several months ago. (The certificate authority has been notified of the misuse by Sophos.) 

The victim is then urged to approve the installation of "Adobe PDF Component," and if they comply, the BazarBackdoor malware is installed and launched in seconds. BazarBackdoor is similar to BazarLoader in that it connects via HTTPS, but it is distinguished by the volume of noisy traffic it creates. BazarBackdoor can exfiltrate system data and has been connected to Trickbot and the probable deployment of Ryuk ransomware. 

Brandt stated, "Malware that comes in application installer bundles is not commonly seen in attacks. Unfortunately, now that the process has been demonstrated, it's likely to attract wider interest. Security companies and software vendors need to have the protection mechanisms in place to detect and block it and prevent the attackers from abusing digital certificates."

SteelSeries Software Flaw Gives Windows 10 Admin Rights

 

A security researcher discovered that the official application for installing SteelSeries devices on Windows 10 can be abused to acquire administrator privileges. 

The vulnerability can be exploited during the device setup process by clicking a link in the License Agreement page that is loaded with SYSTEM capabilities. It is not essential to have an authentic SteelSeries device to exploit the problem. 

Possible to Emulate a Gadget?

The finding came after the disclosure of the news last week that the Razer Synapse software may be exploited to gain permissions when pairing a Razer mouse or keyboard. 

Driven by Jonhat's study, security researcher Lawrence Amer (research team leader at 0xsp) discovered that the same may be accomplished with the SteelSeries device installation software. 

Amer discovered a link in the License Agreement page that gets opened with SYSTEM rights during the device setup process, allowing complete admin privileges to a Windows 10 computer. He accessed the URL in Internet Explorer, it was then just a matter of using Internet Explorer to save the web page and launching elevated privileges Command Prompt from the right-click menu of the “Save As” box. 

One can then move around the PC with enhanced privileges and perform whatever an admin can do. This is applicable for all SteelSeries peripherals, including mouse, keyboards, and headsets. 

István Tóth, a penetration testing researcher, published an open-source script that can replicate human interface devices (HID) on an Android phone, particularly for testing local privilege escalation (LPE) situations. 

Despite being an experimental version, the script is capable of effectively emulating both Razer and SteelSeries devices. Tóth released a video after Amer published his study proving that the LPE discovered by Amer can be attained. 

Amer informed BleepingComputer that he attempted to notify SteelSeries about the vulnerability but was unable to locate a public bug reward program or a contact for product security. 

In response to the request from BleepingComputer for comment on the topic, a SteelSeries representative stated that the firm was aware of the problem and has eliminated the danger of exploitation by restricting the installation software from starting whenever a SteelSeries device is plugged in.

SteelSeries spokesperson stated, "We are aware of the issue identified and have proactively disabled the launch of the SteelSeries installer that is triggered when a new SteelSeries device is plugged in. This immediately removes the opportunity for an exploit and we are working on a software update that will address the issue permanently and be released soon." 

As per the researcher, the vulnerability may still be abused even after it has been patched. When plugging in a SteelSeries device, an attacker could save the vulnerable signed executable dropped in the temporary folder and do it in a DNS poisoning attack.