How antispam software and ransomware protection are connected

Mimecast Threat Center research reveals a malware campaign delivered through sideloading, a new technique enabled by Windows 10 that is known to lead to ransomware attacks.

Key points:

  • A threat actor known to spread malware like Trickbot and BazarLoader has resurfaced, with a new way to deliver malware, according to Mimecast’s Threat Center.

  • The new malware delivery method known as “sideloading” takes advantage of a feature introduced by Microsoft in June 2021 that allows users to install Windows 10 apps from a webpage; sideloading seeks to install apps while bypassing the Windows store.

  • Trickbot and BazarLoader spread spam and are known to lead to ransomware attacks, demonstrating the importance of a secure email gateway and anti-spam software.

In June 2021, Microsoft released a new feature in the Windows store called App Installer, which allowed users to install Windows 10 apps from a webpage. Unfortunately, a threat actor known to spread Trickbot and BazarLoader, which spread spam often resulting in ransomware attacks, exploited this feature. This is yet another example of the importance of updated email antispam software to help prevent ransomware attacks.

Trickbot was first seen in 2016 and has been widely used to target financial companies; BazarLoader is basically a spin-off of Trickbot to deliver malicious payloads via Microsoft and JavaScript attachments into spam emails that go undetected until activated. Both aim to steal banking information, PII (Personally Identifiable Information) and / or user credentials.

The threat actor behind Trickbot and BazarLoader is known to sell access obtained from compromised networks to third parties who use it for ransomware. Using sideloading to load malicious payload is a new approach in an ever-changing threat landscape.

How the sideloading threat works

Spam e-mail tricks users into clicking on what appears to be a legitimate link. The email is for a customer complaint that references their full names, with additional details available in the linked PDF. The intention, of course, is to create a sense of urgency to uncover the complaint. And the fastest way to find out is to click on the link and download the report.

Note that the content of the email is grammatically awkward and contains a spelling error (“She” instead of “Here”), a sure sign that it is possible spam. But if users panic that a complaint is filed against them, they might not read the email carefully. (This is why effective anti-spam software is so essential – it would have detected malicious content.)

The link seems legitimate. But instead of downloading the report, the malware uses sideloading to bypass the Windows App Store webpage and install the malware. The user clicks on the report thinking that it is about downloading the PDF report. Instead, the link redirects to a web page where it looks like there is a problem and asks the user to try downloading again.

Uploading malicious code

Instead of downloading the report, users are tricked into thinking that they need an app to view the report. He looks over the edge, except he’s not.

When users click Install, they are downloading a set of applications used by Windows 10; the problem is that the bundle contains the malware.

Mimecast Threat Center noted that this campaign has been viewed more than 16,000 times in various countries, including the United States, United Kingdom, Germany, Australia and South Africa.

Defend against side loading

Starting with Windows 10 2014, Microsoft enables sideloading by default. Organizations can turn off the feature, but then they lose the ability to easily download apps not available in the Windows App Store designed for functions unique to their business.

Whether or not an organization chooses to allow sideloading, the first line of defense against evolving threats like this is a combination of effective anti-spam software and user awareness training. The layered email security policy delivers the efficiency required to keep your business, information, and users secure. Scanning emails and quarantining suspicious content helps prevent spam that leads to ransomware attacks.

Additionally, user awareness training alerts employees to key characteristics of spam to instill a “think before you click” mentality. In this example, a cyber-conscious employee would immediately be wary of an email containing spelling errors and awkward grammar.

The bottom line

Cybercriminals are continually looking for new vulnerabilities to exploit users. This side loading scheme is just the latest example. According to Mimecast’s Threat Center, this is a new version of similar malware attempts masquerading as a Windows application – a particularly dangerous application that will be emulated by other threat actors. The best defense is effective anti-spam email security updated with the latest threat information combined with a “think before your click” culture through ongoing user awareness training.

Want more cool articles like this?Subscribe to our blog.

Get all the latest news, tips and articles straight to your inbox

thank you forSubscription

You will receive an email shortly

Take me back to the article please


Mimecast Limited published this content on November 09, 2021 and is solely responsible for the information it contains. Distributed by Public, unedited and unmodified, on 09 November 2021 13:03:12 UTC.

About Sandra A. Powell

Check Also

Why advanced email protection is more important than ever

The transition to hybrid working has been a complex journey that many organizations across the …

Leave a Reply

Your email address will not be published.