New research from Mimecast’s Threat Center has detailed a recent malware campaign delivered via sideloading — targeting Microsoft’s App Installer feature in the Microsoft Store, which allows users to install Windows 10 apps from a webpage.
A threat actor known for spreading Trickbot and BazarLoader, which deliver spam often resulting in ransomware attacks, is responsible.
The campaign is a prime example of the threats posed by sideloading attacks — but what exactly are they, how do they work, what damage can they cause to an organisation, and how can they be prevented? Here is all you need to know about sideloading attacks.
What is a sideloading attack?
“Sideloading is simply the installation of an application onto a device, like a phone or computer,” head of threat research at Netacea Matthew Gracey McMinn, tells CSO. “The key difference between sideloading and a normal installation is that in sideloading, the application has not been approved by the developer of the device’s operating system.”
All an attacker has to do is convince a user that they are installing a legitimate and trustworthy application. Such applications may not have been security tested and can be malicious in nature, so users are exposed to threats by installing them, according to George Glass, head of threat intelligence at Redscan. While most devices disable this access until the user enables it in a menu, Windows 10 now allows sideloading by default.
“Typically, these applications are downloaded following some form of social engineering attack via a phishing email or pop-up advertisement. Users may also download a ‘free’ or ‘cracked’ version of a piece of software which may contain malicious code,” says Glass.
One example of a sideloading attack recently observed in the wild is WizardUpdate, which masquerades itself as a legitimate application such as Adobe Flash Player.
“Initially the application was a reconnaissance tool, used to gather only system information and relay this back to a command-and-control (C2) server,” Glass says. “However, this application has now developed to include the functionality to avoid macOS gatekeeper protection, loading other programs from within the application such as adware and malware, and changing system settings.”
Of course, many companies have legitimate, bespoke applications needed for their business processes that don’t come through official app stores, and so sideloading is a necessary part of their ecosystem, Gracey McMinn points out.
The impact of sideloading attacks
The potential damage that can be caused by a sideloading attack can be significant for an organisation. “Sideloading application attacks can lead to organisations becoming compromised, unable to access data unless a ransom is paid, or having their confidential data exfiltrated,” says Glass.
“Sideloaded applications present a risk like that of email-borne malware, except the initial infection method may be subject to fewer security controls than an email may have to go through to reach a target.”
The malware that attackers can deliver in a sideloading attack can vary from simple keyloggers or ransomware through to those that delete data and render a device inoperable.
“Clever cyber criminals try and bundle malware with something useful, such as a free PDF to Word document converter,” says Gracey McMinn. “The user installs the useful tool, blissfully unaware of the malware running in the background. This background malware creates a backdoor which gives the attacker access to and control of the device.”
Some attackers stick to creating these points of access into companies and then selling them to other actors, while some will proceed to launch further attacks themselves.
“Cyber criminals who have a backdoor to the network can use this as a starting point to further compromise more endpoints,” says Gracey McMinn. They will move from computer to computer, server to server around the network until they have enough access and control to launch an attack of sufficient potency for their objective.”
In this way, a simple malicious sideloaded app on one computer can lead to critical servers and broad sections of the business suffering a full-scale ransomware attack, crippling the business, and preventing it from conducting core business functions.
“The problem with this type of attack is that there is really no limit to the type of malware an attacker can install,” says Acronis cybersecurity analyst Topher Tebow.
How to prevent sideloading attacks
While the cost of losing access to critical services, databases, digital processes, and the ability to use IT assets is enough to give any security leader sleepless nights, CISOs can take steps to help prevent sideloading attacks. Experts agree that these must combine technical controls with user awareness.
“Technical controls can limit the ability of users to install applications, but these aren’t always practical to business needs. That’s where awareness training comes into play,” says Gracey McMinn.
“Consider limiting user rights via [Windows] Group Policy to prevent non-system administrators downloading and installing potentially unwanted programs on corporate devices,” Glass advises. “Ensure software is only downloaded and installed directly from the vendor’s website or app store, instead of third-party sites, by employing application allow listing to a set of approved applications.”
Emails should be scanned to prevent malicious content from reaching victims and a full cyber protection suite should be used to detect and block ransomware and other malware and monitor the flow of data in and out of the network, with a proven and protected backup solution to restore data in the event it is lost, adds Tebow.
“A zero trust policy should also be in place,” he says. “This can prevent users from being able to install software from unauthorised locations and restricts each user’s access to resources across the network to only that which is necessary for their job.”
As most sideloading attacks rely on social engineering, it’s important to train users on the tricks used so they know how to spot them. “[Users] are then much less likely to sideload malicious applications,” says Gracey McMinn.
“Furthermore, users often try to sideload apps when they can’t find an application to do something they need to do. I would recommend that CISOs make sure all staff in their organisation are aware that they can request applications that they don’t already have so that applications known to be safe can be provided to them.”