Security News > 2022 > February > Microsoft disables MSIX protocol handler abused in Emotet attacks
Microsoft has disabled the MSIX ms-appinstaller protocol handler exploited in malware attacks to install malicious apps directly from a website via a Windows AppX Installer spoofing vulnerability.
The likely reason for disabling the protocol altogether is to protect all Windows customers, including those who haven't yet installed the December security updates or applied the workarounds.
"We are actively working to address this vulnerability. For now, we have disabled the ms-appinstaller scheme. This means that App Installer will not be able to install an app directly from a web server. Instead, users will need to first download the app to their device, and then install the package with App Installer," said Microsoft Program Manager Dian Hartono.
As BleepingComputer reported, Emotet started spreading and infecting Windows 10 and Windows 11 systems in early December using malicious Windows AppX Installer packages camouflaged as Adobe PDF software.
While it looks like a legitimate Adobe app, App Installer will download and install a malicious appxbundle hosted on Microsoft Azure when the user clicks the Install button.
You can find more information, including the way Emotet abused the built-in Windows App Installer feature during the campaign, in our previous report.
News URL
Related news
- DOJ, Microsoft seize 107 domains used in Russia's Star Blizzard phishing attacks (source)
- Microsoft and DOJ disrupt Russian FSB hackers' attack infrastructure (source)
- Microsoft issues 117 patches – some for flaws already under attack (source)
- Microsoft Detects Growing Use of File Hosting Services in Business Email Compromise Attacks (source)
- Microsoft: Ransomware Attacks Growing More Dangerous, Complex (source)
- VEILDrive Attack Exploits Microsoft Services to Evade Detection and Distribute Malware (source)
- Microsoft patches Windows zero-day exploited in attacks on Ukraine (source)