The vulnerability enables hackers to trick desktop users into installing harmful applications by disguising them as official ones. In technical terms, the bug enables hackers to commandeer the Windows App Installer built-in feature, also referred to as AppX Installer, to spoof legitimate packages, so users willingly install malicious ones. “Typically, if the user tries to install an application containing malware, such as an Adobe Reader lookalike, it won’t display as a verified package, which is where the vulnerability comes into play,” explained Kevin Breen, Director of Cyber Threat Research at Immersive Labs, to Lifewire over email. “This vulnerability allows an attacker to display their malicious package as if it were a legitimate package validated by Adobe and Microsoft.”
Snake Oil
Officially tracked by the security community as CVE-2021-43890, the bug essentially made malicious packages from untrusted sources appear safe and trusted. It’s exactly because of this behavior that Breen believes this subtle app spoofing vulnerability is the one that affects desktop users the most. “It targets the person behind the keyboard, allowing an attacker to create an installation package that includes malware like Emotet,” said Breen, adding that “the attacker will then send this to the user via email or a link, similar to standard phishing attacks.” When the user installs the malicious package, it’ll install the malware instead. As they released the patch, security researchers at the Microsoft Security Response Center (MSRC) noted the malicious packages passed using this bug had a less severe impact on computers with user accounts that were configured with fewer user rights, compared to users who operated their computer with administrative privileges. “Microsoft is aware of attacks that attempt to exploit this vulnerability by using specially crafted packages that include the malware family known as Emotet/Trickbot/Bazaloader,” pointed out MSRC (Microsoft Security Research Center) in a security update post.
Return of the Devil
Referred to as the “world’s most dangerous malware” by the European Union’s law enforcement agency, Europol, Emotet was first discovered by researchers in 2014. According to the agency, Emotet evolved to become a much larger threat and was even offered for hire to other cybercriminals to help spread different types of malware, such as ransomware. Law enforcement agencies finally halted the malware’s reign of terror in January 2021, when they seized several hundred servers located across the world that powered it. However, the observations of MSRC seems to suggest hackers are once again trying to rebuild the malware’s cyberinfrastructure by exploiting the now patched Windows app spoofing vulnerability. Asking all Windows users to patch their systems, Breen also reminds them that while Microsoft’s patch will rob hackers of the means to disguise malicious packages as valid, it will not prevent the attackers from sending links or attachments to these files. This essentially means users will still have to exercise caution and check the antecedents of a package before installing it. In the same vein, he adds that while CVE-2021-43890 is a patching priority, it’s still just one of the 67 vulnerabilities Microsoft has fixed in its final Patch Tuesday of 2021. Six of these have earned the “critical” rating, which means they can be exploited by hackers to gain complete, remote control over vulnerable Windows computers without much resistance and are just as important to patch as the app spoofing vulnerability.