Description
Following evidence that a security weakness in the installer component was used by threat actors to spread malware, Microsoft stated last week that it is temporarily disabling the MSIX ms-appinstaller protocol handler in Windows.
Summary
MSIX is a universal Windows app package format that allows developers to distribute their apps for the desktop operating system and other platforms. It is built on a combination of .msi, .appx, App-V, and ClickOnce installation technologies. ms-appinstaller is a program that allows users to install a Windows app by just clicking on a link on a website.
A spoofing vulnerability discovered in Windows App Installer tracked as CVE-2021-43890, allowed a malicious attachment used in phishing campaigns to deceive it into installing a rogue app that was never intended to be installed by the user.
How Threat actors abused ms-appinstaller
Threat actors used an emotet campaign that begins with a stolen reply-chain email that appears to be a reply to a previous conversation. These responses merely say, “Please see attached,” and include a link to a purported PDF connected to the email chat. When the user clicks the link, they will be taken to a phony Google Drive website where they will be asked to click a button to preview the PDF document. This button is an ms-appinstaller URL that tries to open an appinstaller file hosted on Microsoft Azure utilizing URLs at *.web.core.windows.net.
Using the *.web.core.windows.net URLs, the AppX Installer spoofing vulnerability was also used to deliver the BazarLoader malware via malicious packages hosted on Microsoft Azure.
Remediation
Microsoft released security updates addressing this vulnerability in the December 2021 Patch Tuesday updates and gave workarounds to disable the MSIX scheme without installing the patches. However, they decided to disable the protocol completely to protect all Windows users, including those who have not yet deployed the December security patches or utilized the workarounds.
The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.,
PDF Download: Microsoft Disables MSIX App Installers to Prevent Malware Abuse.pdf
References