Microsoft disables abused MSIX protocol handler in Emotet attacks


Microsoft has disabled the MSIX ms-appinstaller protocol handler exploited in malware attacks to install malicious applications directly from a website through a Windows AppX Installer spoofing vulnerability.

Today’s decision comes after the company released security updates to fix the flaw (tracked as CVE-2021-43890) in the December 2021 Patch Tuesday and provided workarounds to disable the MSIX schema without deploying the patches.

The likely reason for completely disabling the protocol is to protect all Windows clients, including those who have not yet installed the December security updates Where applied the workarounds.

“We are actively working to resolve this vulnerability. For now, we have disabled the ms-appinstaller scheme (protocol). This means that App Installer will not be able to install an application directly from a web server. Instead , users will need to download the app on their device first and then install the package with App Installer,” noted Microsoft Program Manager Dian Hartono.

“We recognize that this feature is essential for many businesses. We take the time to perform extensive testing to ensure that re-enabling the protocol can be done in a secure manner.

“We are considering introducing Group Policy that would allow IT administrators to re-enable the protocol and control its use within their organizations.”

How Threat Actors Abused ms-appinstaller to Spread Malware

As reported by BleepingComputer, Emotet began spreading and infecting Windows 10 and Windows 11 systems in early December using malicious Windows AppX Installer packages disguised as Adobe PDF software.

Emotet phishing emails used stolen reply string emails and asked potential victims to open PDFs related to the previous conversation.

However, once clicked, the links embedded in the emails will redirect recipients to pages which, instead of opening the PDF, would launch the Windows App Installer program and ask to install an “Adobe PDF Component”.

Although it looks like a legitimate Adobe application, App Installer downloads and installs a malicious appxbundle hosted on Microsoft Azure when the user clicks on the Install button.

App Installer prompting to install fake Adobe PDF component
App Installer prompting to install fake Adobe PDF component (BleepingComputer)

You can find more information, including how Emotet abused the built-in Windows App Installer functionality during the campaign, in our previous report.

This AppX Installer spoofing vulnerability has also been exploited to distribute BazarLoader malware via malicious packages hosted on Microsoft Azure, using * URLs.


Comments are closed.