enterprise administrators to re-enable the disabled msix ms-appinstaller protocol handler after Emotet abused it to deliver malicious Windows application installer packages
App Installer (also known as AppX Installer) allows users to install Windows applications directly from a web server using an MSIX package or App Installer file without first downloading the installers to their computer.
Microsoft disabled the ms-appinstaller scheme in response to reports of ongoing Emotet attacks exploiting a zero-day Windows AppX Installer spoofing vulnerability, forcing users to download the app packages to their device before installing them using the App Installer.
“We recognize that this feature is critical for many enterprise organizations. We are taking the time to conduct extensive testing to ensure that re-enabling the protocol can be done safely,” Microsoft program manager Dian Hartono said in announcing the protocol’s closure.
“We are studying the introduction of a Group Policy that allows IT administrators to re-enable the protocol and control its use within their organizations.”
How to re-enable the
protocol According to an update from
Hartono, Microsoft has finally managed to get the issue under control, and now allows administrators to re-enable the protocol handler by installing the latest version of the application installer (1.17.10751.0) and enabling a Group Policy.
On systems where the application installer update cannot be deployed using the Internet-based installer, Microsoft also provides an offline version from the Microsoft Download Center (download link).
The Application Installer feature will be re-enabled after you download and deploy the desktop application installer policy and select “Enable the ms-appinstaller application installer protocol”.
You can do this by using the Group Policy Editor in Computer Configuration > Administrative Templates > Windows Components > Desktop Application Installer.
“You will need to enable both the latest application installer application and the desktop application installer policy to use the ms-appinstaller protocol for MSIX,” Hartone added.
ms-appinstaller abused to send malware
Emotet started using malicious Windows AppX Installer packages disguised as Adobe PDF software to infect Windows devices in phishing campaigns since early December 2021
botnet’s phishing emails used emails stolen from the reply chain instructing recipients to open PDFs related to previous conversations.
However, instead of opening the PDF, the embedded links redirected recipients to whom they would launch the Windows application installer and asked them to install a malicious
“Adobe PDF component.” Although it looks like a legitimate Adobe app, App Installer downloaded and installed a malicious appxbundle hosted on Microsoft Azure after the targets clicked the Install button.
You can find more details, including how Emotet abused the Windows app installer vulnerability, in our previous report on the December campaign.
The same phishing flaw was also exploited to distribute the BazarLoader malware using malicious packages hosted on Microsoft Azure via *.web.core.windows.net URL.
“We have investigated reports of a spoofing vulnerability in the AppX installer affecting Microsoft Windows,” Microsoft explained.
“Microsoft is aware of attacks that attempt to exploit this vulnerability by using specially crafted packages that include the malware family known as Emotet/Trickbot/Bazaloader.”