Dec 15, 2021
0 0

Microsoft fixes Windows AppX Installer zero-day used by Emotet

Written by

Microsoft December 2021 Patch Tuesday fixes 6 zero-days, 67 flaws
New ransomware now being deployed in Log4Shell attacks
Microsoft fixes Windows AppX Installer zero-day used by Emotet
Log4j vulnerability now used by state-backed hackers, access brokers
Emotet starts dropping Cobalt Strike again for faster attacks
Explore the cloud with this Microsoft Azure certification training
Microsoft to set Windows Terminal as default console in Windows 11
Large-scale phishing study shows who bites the bait more often
Qualys BrowserCheck
Junkware Removal Tool
How to remove the PBlock+ adware browser extension
Remove the Search Redirect
Remove the Search Redirect
Remove the Search Redirect
Remove Security Tool and SecurityTool (Uninstall Guide)
How to remove Antivirus 2009 (Uninstall Instructions)
How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo
How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller
Locky Ransomware Information, Help Guide, and FAQ
CryptoLocker Ransomware Information Guide and FAQ
CryptorBit and HowDecrypt Information Guide and FAQ
CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ
How to make the Start menu full screen in Windows 10
How to install the Microsoft Visual C++ 2015 Runtime
How to open an elevated PowerShell Admin prompt in Windows 10
How to Translate a Web Page in Google Chrome
How to start Windows in Safe Mode
How to remove a Trojan, Virus, Worm, or other Malware
How to show hidden files in Windows 7
How to see hidden files in Windows
IT Certification Courses
Gear + Gadgets
Microsoft fixes Windows AppX Installer zero-day used by Emotet
Microsoft has patched a high severity Windows zero-day vulnerability exploited in the wild to deliver Emotet malware payloads.
The bug, a Windows AppX Installer spoofing security flaw tracked as CVE-2021-43890, can be exploited remotely by threat actors with low user privileges in high complexity attacks requiring user interaction.
“We have investigated reports of a spoofing vulnerability in AppX installer that affects Microsoft Windows. Microsoft is aware of attacks that attempt to exploit this vulnerability by using specially crafted packages that include the malware family known as Emotet/Trickbot/Bazaloader,” Microsoft explains.
“An attacker could craft a malicious attachment to be used in phishing campaigns. The attacker would then have to convince the user to open the specially crafted attachment.
“Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”
To block exploitation attempts, Windows users have to install the patched Microsoft Desktop Installer for their platform:
Microsoft Desktop Installer 1.16 for Windows 10, version 1809 and later
Microsoft Desktop Installer 1.11 for Windows 10, version 1709 or Windows 10, version 1803
Microsoft also provides mitigation measures for customers who can’t immediately install the Microsoft Desktop Installer updates.
Mitigation recommended by Redmonds includes enabling BlockNonAdminUserInstall to prevent non-admins from installing Windows App packages and AllowAllTrustedAppToInstall to block app installs from outside the Microsoft Store.
Additional information is available in the workarounds section of the CVE-2021-4389 security advisory.
BleepingComputer previously reported that Emotet began spreading using malicious Windows App Installer packages camouflaged as Adobe PDF software.
While Microsoft did not directly link the CVE-2021-4389 zero-day to this campaign, the details Redmond shared in today’s advisory line up with tactics used in recent Emotet attacks.
As we reported on December 1, the Emotet gang started infecting Windows 10 systems by installing malicious packages using the App Installer built-in feature (or, as Microsoft calls it, AppX Installer).
More information, including the way Emotet abused the Windows App Installer in this campaign, can be found in our previous report.
The same tactic was used previously to distribute the BazarLoader malware by deploying malicious packages hosted on Microsoft Azure.
Emotet was the most distributed malware until a law enforcement operation shut down and seized the botnet’s infrastructure in January. Ten months later, in November, Emotet was resurrected, and it started rebuilding with the help of the TrickBot gang.
One day after its comeback, Emotet spam campaigns started again with phishing emails using various lures and malicious documents designed to deploy the malware on victims’ systems.
Emotet now spreads via fake Adobe Windows App Installer packages
New Windows 10 zero-day gives admin rights, gets unofficial patch
New Windows zero-day with public exploit lets you become an admin
Malware now trying to exploit new Windows Installer zero-day
Microsoft increases Windows 11 rollout pace to Windows 10 devices
Not a member yet? Register Now
Bugs in billions of WiFi, Bluetooth chips allow password, data theft
Log4j: List of vulnerable products and vendor advisories
To receive periodic updates and news from BleepingComputer, please use the form below.
Terms of Use Privacy PolicyEthics Statement
Copyright @ 2003 – 2021 Bleeping Computer® LLC – All Rights Reserved
Not a member yet? Register Now
Read our posting guidelinese to learn what content is prohibited.


Article Categories:
Cybersecurity News

Comments are closed.