Microsoft now allows enterprise administrators to re-enable the disabled MSIX ms-appinstaller protocol handler after Emotet abused it to deliver malicious Windows App Installer packages.
App Installer (also known as AppX Installer) allows users to install Windows applications directly from a web server using an MSIX package or App Installer file without first downloading installers on their computer.
Microsoft has disabled the ms-appinstaller scheme in response to reports of ongoing Emotet attacks exploited Windows AppX Installer zero-day spoofing vulnerabilityrequiring users to download app packages to their device before installing them using the app installer.
“We recognize that this feature is essential for many businesses. We take the time to perform extensive testing to ensure that re-enabling the protocol can be done in a secure manner,” said Dian Hartono, Microsoft program manager, during of the announcement of the termination of the protocol. .
“We are considering introducing Group Policy that would allow IT administrators to re-enable the protocol and control its use within their organizations.”
How to re-enable the ms-appinstaller protocol
According to an update from HartonoMicrosoft finally got the problem under control and now allows administrators to re-enable the protocol handler by installing the latest version of App Installer (1.17.10751.0) and enabling group policy.
On systems where the App Installer update cannot be deployed using the Internet-based installer, Microsoft also provides an offline version on the Microsoft Download Center (Download link).
App Installer functionality will be re-enabled after downloading and deploying the Desktop App Installation Policy and selecting “Enable ms-appinstaller App Installer protocol”.
You can do this through the Group Policy Editor by going to Computer Configuration > Administrative Templates > Windows Components > Desktop Application Installer.
“You will need both the latest App Installer and the Desktop App Installer policy to be able to use the ms-appinstaller protocol for MSIX,” Hartono added.
ms-appinstaller abused to push malware
Emotet began using malicious Windows AppX Installer packages disguised as Adobe PDF software to infect Windows devices in phishing campaigns starting in early December 2021.
The botnet’s phishing emails used stolen reply string emails asking recipients to open PDFs related to previous conversations.
However, instead of opening the PDF, the embedded links redirected recipients to launch the Windows application installer and asked them to install a malicious “Adobe PDF component”.
Although looking like a legitimate Adobe application, App Installer downloaded and installed a malicious appxbundle hosted on Microsoft Azure after the targets clicked the Install button.
You can find more details, including how Emotet abused the Windows App Installer vulnerability, in our previous December campaign report.
The same spoofing flaw was also exploited to distribute BazarLoader malware using malicious packages hosted on Microsoft Azure via *.web.core.windows.net URLs.
“We have investigated reports of a spoofing vulnerability in the AppX installer that affects Microsoft Windows,” Microsoft Explain.
“Microsoft is aware of attacks that attempt to exploit this vulnerability using specially crafted packages that include the malware family known as Emotet/Trickbot/Bazaloader.”