Microsoft Patches AppX Zero-day Previously Exploited to Deliver Emotet

Published 12/23/21, 9:00am

As part of the final patch Tuesday of 2021, Microsoft has fixed a critical vulnerability in the AppX Installer that was used in attempts to deploy the Emotet malware family, also known as Trickbot and Bazaloader.

The zero-day, tracked as CVE-2021-43890, is a spoofing vulnerability that allows an attacker to create a malicious package and modify it to look like a legitimate application. These files can be inserted as attachments in crafted phishing campaigns, tricking end-users into installing what appears to be a legitimate application. This technique has been witnessed in use by the Emotet malware family, and while Microsoft did not explicitly link those campaigns to this vulnerability, it seems likely they are connected.

The release of this patch should stop spoofed packages from appearing as valid applications, but that won’t prevent attackers from sending the packages–or links to them–in the hopes that they will land on an unpatched endpoint.

Next Steps

If possible, immediately apply the relevant patch from Microsoft. If you are unable to apply the patch, Microsoft’s recommended mitigation is that users hover over the Trusted App text in the Desktop App Installer to see more detailed information about the package signer. Additionally, organizations that cannot apply the patch can set Group Policy to prevent non-administrator accounts from installing Windows app packages, or to only allow the installation of trusted applications from the Windows app store.