Ref# AL2022_09 | Date: Feb 10th 2022

---

Description

Following evidence that a security weakness in the installer component was used by threat actors to spread malware, Microsoft stated last week that it is temporarily disabling the MSIX ms-appinstaller protocol handler in Windows.

Summary

MSIX is a universal Windows app package format that allows developers to distribute their apps for the desktop operating system and other platforms. It is built on a combination of .msi, .appx, App-V, and ClickOnce installation technologies. ms-appinstaller is a program that allows users to install a Windows app by just clicking on a link on a website.

A spoofing vulnerability discovered in Windows App Installer tracked as CVE-2021-43890, allowed a malicious attachment used in phishing campaigns to deceive it into installing a rogue app that was never intended to be installed by the user.

How Threat actors abused ms-appinstaller

Threat actors used an emotet campaign that begins with a stolen reply-chain email that appears to be a reply to a previous conversation. These responses merely say, “Please see attached,” and include a link to a purported PDF connected to the email chat. When the user clicks the link, they will be taken to a phony Google Drive website where they will be asked to click a button to preview the PDF document. This button is an ms-appinstaller URL that tries to open an appinstaller file hosted on Microsoft Azure utilizing URLs at *.web.core.windows.net.

Using the *.web.core.windows.net URLs, the AppX Installer spoofing vulnerability was also used to deliver the BazarLoader malware via malicious packages hosted on Microsoft Azure.

Remediation

Microsoft released security updates addressing this vulnerability in the December 2021 Patch Tuesday updates and gave workarounds to disable the MSIX scheme without installing the patches. However, they decided to disable the protocol completely to protect all Windows users, including those who have not yet deployed the December security patches or utilized the workarounds.

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.,

PDF Download: Microsoft Disables MSIX App Installers to Prevent Malware Abuse.pdf

References

• Lakshmanan, Ravie. (7th February 2022). Microsoft Temporarily Disables MSIX App Installers to Prevent Malware Abuse. Retrieved from The Hacker news.
  https://thehackernews.com/2022/02/microsoft-temporarily-disables-msix-app.html
   
• Gatlan, Sergiu. (4th February 2022). Microsoft disables MSIX protocol handler abused in Emotet attacks. Retrieved from Bleeping Computer.
  https://www.bleepingcomputer.com/news/microsoft/microsoft-disables-msix-protocol-handler-abused-in-emotet-attacks/
   
• Abrams, Lawrence. (1st December 2021). Emotet now spreads via fake Adobe Windows App Installer packages. Retrieved from Bleeping Computer.
  https://www.bleepingcomputer.com/news/security/emotet-now-spreads-via-fake-adobe-windows-app-installer-packages/