Microsoft fixed a 0day using Emotet

A recent update fixes a 0day vulnerability in the Windows AppX installer (CVE-2021-43890), who used the Emotet.

An addition to the December 2021 patch tuesday for the AppX installer used on Windows, the closed the Windows AppX Installer spoofing vulnerability.0day, emotet, iguru, microsoft

The gang behind Emotet took advantage of this vulnerability to infect systems. The following is a brief overview.

The AppX-Installer used in Windows 10 and Windows 11 to install applications has a serious design flaw.

An infected payload from Emotet appears as a trusted application in the Setup dialog box. The Trusted App statement is displayed to users without any digital signatures being evaluated. Only when the user clicks on the Trusted App link does he receive the authentication notification from the publisher you see in the following tweet from the actual publisher of the application.

appx installer

The Emotet team is taking advantage of this security loophole to distribute its dropper that will install ransomware as a trusted Windows application.

As early as December 14, 2021, security researcher Will Dormann tweeted that ms-appinstaller's URI had been blocked by Microsoft with an update.

Dormann posted the issue in a series of tweets from December 1, 2021. If Windows users were logged in as administrators, it could be abused because ms-appinstaller: is a URL protocol through which install AppX from almost anywhere. Even opening a Microsoft Office document was enough.

Dormann then recommended activating the "Prevent non-administrators from installing packaged Windows applications" policy group or disabling the ms-appinstaller via the reg file for all users.

But as of December 14, 2021, Microsoft has released the Windows AppX Installer Spoofing Vulnerability security page CVE-2021-43890, which confirms all of the above and reveals the CVE.

Microsoft is aware of attacks that attempt to exploit this vulnerability with specially designed packages containing the Emotet / Trickbot / Bazaloader malware.

In addition, Microsoft has updated the AppX Installer (Desktop Installer): The Best Technology Site in Greecefgns

Subscribe to Blog by Email

Subscribe to this blog and receive notifications of new posts by email.

0day, emotet, iguru, microsoft

Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).