Remote AppX Package Downloaded from File Sharing or CDN Domain
This brief details the detection of a malicious AppX package downloaded from untrusted file-sharing or CDN domains, a technique employed by threat actors like BazarLoader to deliver malware via abused Windows app mechanisms, potentially leading to system compromise and ransomware.
This threat brief focuses on the detection of Windows AppX packages that are downloaded from suspicious file-sharing or Content Delivery Network (CDN) domains. This technique is actively leveraged by various threat actors, including those behind BazarLoader campaigns, to bypass security controls and deliver malware. Starting as early as late 2021, adversaries have been observed abusing legitimate Windows mechanisms, such as the AppInstaller.exe utility and the appxdeployment-server service, to install malicious applications. The delivery typically involves phishing attacks leading to the download of .appinstaller or .appx files hosted on platforms like Discord's CDN, GitHub, or various file-sharing services. This method allows threat actors to distribute payloads discreetly, often bypassing traditional perimeter defenses and leading to initial access for further exploitation, data exfiltration, or ransomware deployment.
Attack Chain
- Initial Access: A user receives a phishing email containing a malicious attachment, often a compressed archive (e.g.,
.isoor.zipfile) impersonating a legitimate document or software update. - Execution - Malicious Loader: The user opens the attachment, which contains a shortcut (
.lnk) or a script that, when executed, triggers a download or execution process. - AppInstaller Abuse: The malicious loader initiates
AppInstaller.exeto process a specially crafted.appinstallerfile, bypassing typical security prompts for unsigned applications. - Ingress Tool Transfer:
AppInstaller.exe, utilizing theappxdeployment-serverservice, downloads a malicious.appxor.msixpackage from a remote file-sharing or CDN domain (e.g.,cdn.discordapp.com,githubusercontent.com,storage.googleapis.com). - Execution - Malware Deployment: The downloaded AppX package is installed and then executes an embedded malicious payload, such as a loader for BazarLoader, IcedID, or other infostealers.
- Command and Control (C2): The deployed malware establishes persistence on the compromised system and communicates with its command and control infrastructure to receive further instructions or download additional modules.
- Impact: The attacker proceeds with post-exploitation activities, including reconnaissance, privilege escalation, lateral movement, data exfiltration, or the deployment of ransomware.
Impact
Successful exploitation allows threat actors to gain initial access to target systems, often bypassing standard application security measures and leading to significant consequences. Campaigns leveraging this technique, such as those deploying BazarLoader, have been observed across various sectors globally. The primary impact includes system compromise, execution of arbitrary code, installation of further malware (e.g., ransomware, infostealers, banking trojans), and potential data exfiltration. This can result in severe financial losses, operational disruption, and reputational damage for affected organizations.
Recommendation
- Deploy the Sigma rule "Remote AppX Package Downloaded from File Sharing or CDN Domain" to your SIEM system to detect suspicious AppX package downloads from untrusted domains.
- Ensure
appxdeployment-serverlogs are being collected from all Windows endpoints and forwarded to your SIEM for analysis. - Block the domains listed in the IOC section at your network perimeter (e.g., DNS resolver, firewall) to prevent access to known malicious AppX package hosting locations.
- Implement strong email filtering and user awareness training to reduce the success rate of phishing attempts that serve as the initial access vector for such attacks.
- Restrict the ability of non-administrative users to install applications via
AppInstaller.exeor AppX packages where possible.
Detection coverage 1
Remote AppX Package Downloaded from File Sharing or CDN Domain
highDetects an AppX package added to the processing pipeline that was downloaded from a remote file-sharing or CDN domain, indicating potential malware delivery.
Detection queries are available on the platform. Get full rules →
Indicators of compromise
35
domain
| Type | Value |
|---|---|
| domain | githubusercontent.com |
| domain | 0x0.st |
| domain | anonfiles.com |
| domain | bashupload.com |
| domain | cdn.discordapp.com |
| domain | chunk.io |
| domain | ddns.net |
| domain | dl.dropboxusercontent.com |
| domain | ghostbin.co |
| domain | github.com |
| domain | glitch.me |
| domain | gofile.io |
| domain | hastebin.com |
| domain | mediafire.com |
| domain | mega.nz |
| domain | onrender.com |
| domain | pages.dev |
| domain | paste.ee |
| domain | pastebin.com |
| domain | pastebin.pl |
| domain | pastetext.net |
| domain | privatlab.com |
| domain | privatlab.net |
| domain | send.exploit.in |
| domain | sendspace.com |
| domain | storage.googleapis.com |
| domain | storjshare.io |
| domain | supabase.co |
| domain | temp.sh |
| domain | transfer.sh |
| domain | trycloudflare.com |
| domain | ufile.io |
| domain | w3spaces.com |
| domain | workers.dev |
| domain | x0.at |