enterprise administrators to re-enable the disabled msix ms-appinstaller protocol handler after Emotet abused it to deliver malicious Windows application installer packages
App Installer (also known as AppX Installer) allows users to install Windows applications directly from a web server using an MSIX package or App Installer file without first downloading the installers to their computer.
Microsoft disabled the ms-appinstaller scheme in response to reports of ongoing Emotet attacks exploiting a zero-day Windows AppX Installer spoofing vulnerability, forcing users to download the app packages to their device before installing them using the App Installer.
“We recognize that this feature is critical for many enterprise organizations. We are taking the time to conduct extensive testing to ensure that re-enabling the protocol can be done safely,” Microsoft program manager Dian Hartono said in announcing the protocol’s closure.
“We are looking to introduce Group Policy that allows IT administrators to re-enable the protocol and
control its use within their organizations.”
How to re-enable the
According to an update from Hartono, Microsoft has finally managed to get the issue under control, and now allows administrators to re-enable the protocol handler by installing the latest version of the application installer (1.17.10751.0) and enabling a Group Policy.
On systems where the Application Installer update cannot be deployed using the Internet-based installer, Microsoft also provides an offline version on the Microsoft Download Center (download link).
The Application Installer feature
will be re-enabled after you download and deploy the desktop application installer policy and select “Enable the ms-appinstaller protocol from the application installer.”
You can do this through the Group Policy Editor by going to Computer Configuration > Administrative Templates > Windows Components > Desktop Application Installer.
“You will need to enable both the latest application installer application and the desktop application installer policy to use the ms-appinstaller protocol for MSIX,” Hartono added.
ms-appinstaller abused to push malware
Emotet began using malicious Windows AppX Installer packages disguised as Adobe PDF software to infect Windows devices in phishing campaigns since early December 2021
botnet’s phishing emails used emails stolen from the reply chain that instructed recipients to open PDFs related to previous conversations.
However, instead of opening the PDF, the embedded links redirected recipients to whom they would launch the Windows Application Installer and asked them to install a malicious “Adobe PDF Component.”
it looked like a legitimate Adobe app, the App Installer downloaded and installed a malicious appxbundle hosted on Microsoft Azure after the targets clicked the Install button
More details, including how Emotet abused the Windows app installer vulnerability, can be found in our previous report on the December campaign.
The same phishing flaw was also exploited to distribute the BazarLoader malware using malicious packages hosted on Microsoft Azure via *.web.core.windows.net URL.
“We have investigated reports of a spoofing vulnerability in the AppX installer affecting Microsoft Windows,” Microsoft explained.
“Microsoft is aware of attacks that attempt to exploit this vulnerability by using specially crafted packages that include the malware family known as Emotet/Trickbot/Bazaloader.”