Microsoft Temporarily Disables MSIX mx-appinstaller Protocol - Binary Defense

Threat Watch

Threat Watch Microsoft Temporarily Disables MSIX mx-appinstaller Protocol

Microsoft Temporarily Disables MSIX mx-appinstaller Protocol

On Friday, Microsoft announced it has temporarily disabled the MSIX protocol handler in Windows systems due to the exploitation of this feature by Emotet and BazaarLoader malware.

The mx-appinstaller protocol allows for the downloading of MSIX files across the Internet. First, an XML manifest is served, and then the endpoint retrieves only the files that are needed, saving bandwidth and disk space. Threat actors are currently exploiting this mechanism via phishing attacks that spoof the signatures in MSIX package files. For example, on malicious sites, users are prompted to download an “Adobe PDF Component” which is supposedly necessary to view the purportedly urgent document mentioned by the phishing email. However, this link to the PDF component was actually an “ms-appinstaller://” link that installed a version of the BazaarLoader malware. No date was given for the resumption of the mx-appinstaller protocol.

ANALYST NOTES

In its security advisory, Microsoft said it was considering a new Group Policy that would allow finer controls for using the mx-appinstaller protocol. Current workarounds for the disabling of the mx-appinstaller protocol include the removal of the “ms-appinstaller:?source=” link to hosted resources on websites so that the entire MSIX or App installer file (APPX or APPBUNDLE) will be downloaded and installed via the Microsoft App Installer.

While the protocol is currently disabled, mitigations for mx-appinstaller exploitation are still recommended for app installation. A GPO policy can be configured to set BlockNonAdminUserInstall = 1, which allows only administrators to successfully install signed Windows app packages. Note that BlockNonAdminUserInstall = 0 is the default value, which allows all users to successfully install Windows app packages. The AllowAllTrustedAppToInstall policy setting can also be configured to allow only the installation of trusted line of business or developer signed Windows Store apps.

https://therecord.media/microsoft-temporarily-disables-msix-protocol-handler-following-malware-abuse/

https://techcommunity.microsoft.com/t5/windows-it-pro-blog/disabling-the-msix-ms-appinstaller-protocol-handler/ba-p/3119479

BREAKING: #Emotet malspam links can since yesterday link to an Universal App installer hosted on @azure imposing as an Adobe Update that drops E4 payload. This is the same initial attack vector as #BazarLoader used a few weeks ago, even using the same @SectigoHQ cert. pic.twitter.com/B19KGFUtII

— Cryptolaemus (@Cryptolaemus1) November 26, 2021

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43890