Microsoft fixed a 0day using Emotet

A recent update fixes a 0day vulnerability in the Windows AppX installer (CVE-2021-43890), who used the Emotet.

An addition to the December 2021 for the AppX Installer used on Windows, Microsoft closed the Windows AppX Installer spoofing vulnerability.0day, emotet, iguru, microsoft

The gang behind Emotet took advantage of this vulnerability to infect systems. The following is a brief overview.

The AppX-Installer used in Windows 10 and Windows 11 to install applications has a serious design flaw.

A tainted payload from Emotet appears as trustworthy στο παράθυρο διαλόγου του προγράμματος εγκατάστασης. Η δήλωση του Trusted App εμφανίζεται στους χρήστες χωρίς να έχει αξιολογηθεί καμία ψηφιακή υπογραφή. Μόνο όταν ο χρήστης κάνει κλικ στον σύνδεσμο του Trusted App, λαμβάνει την ειδοποίηση ελέγχου s from the publisher you see in the tweet below from the actual publisher of the app.

appx installer

The Emotet team is taking advantage of this security loophole to distribute its dropper that will install ransomware as a trusted Windows application.

As early as December 14, 2021, security researcher Will Dormann tweeted that ms-appinstaller's URI had been blocked by Microsoft with an update.

Dormann posted the issue in a series of tweets from December 1, 2021. If Windows users were logged in as administrators, it could be abused because ms-appinstaller: is a URL through which AppX installation can be started from almost anywhere. Even opening a Microsoft Office document was enough.

Dormann then recommended enabling the “Prevent non-administrator users from installing packaged Windows applications” group policy or disabling ms-appinstaller via u reg for all users.

But as of December 14, 2021, Microsoft published it security Windows AppX Installer Spoofing Vulnerability CVE-2021-43890, which confirms all of the above and discloses the CVE.

Microsoft is aware of attacks that attempt to exploit this vulnerability with specially designed packages containing the Emotet / Trickbot / Bazaloader malware.

In addition, Microsoft has updated the AppX Installer (Desktop Installer):

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.100 registrants.
0day, emotet, iguru, microsoft

Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).