[German]Hoh hoh, folks, today we can open the second door in the Advent calendar and see what Microsoft has put in as a surprise for us. Today we find the AppX installer, which is used in Windows 10 and Windows 11 to install applications and apps. Here's a quick overview of why you shouldn't take the expression "Trusted Apps" quite so literally. Because the associated installer may well flush malware onto the system, but shows the apps as trusted due to a serious design flaw. This mechanism is abused by Emotet ransomware gang to spread a dropper.
Actually, I didn't intend to organize a security advent calendar. But after I put the surprise Microsoft Defender version 1.353.1874.0 falsely reports Trickbot/Emotet into the first cabinet, behind the first door, yesterday another case came under my eyes. So I put that thing behind the second door – I couln't resist.
Windows 11 and the Trusted Apps
The case came to my eyes yesterday. A user received an email that was supposed to distribute the Emotet trojan – as the following tweet makes clear. Was fortunately an administrator running Windows in a test lab.
So far, so often experienced. In an email, the victim was told that they had worked hard and now had an update available. The mail then contained a link to download something from the web. And that's where it gets interesting, if you put on the hat of the ordinary user, who was briefly trained at some point to only click on trustworthy things.
The link in the email then leads to a windows.net web page that promises a PDF preview with the report (see previous screenshot). The administrator, who documented the case on Twitter, could already tell from the link targets that something wasn't kosher. But the normal user rarely works like that – he clicks on Preview PDF. Now the dropper for the Emotet malware is supposed to become active by foisting an installer on the user as a download. But wait, we are in Windows 11, the most secure Windows ever. Surely that rejects something like this. So, the user gets the AppX installer page as shown in the following tweet.
The screenshot shown in the tweets already exposes the entire drama. The window claims to install the Adobe PDF component. And because the user has hopefully been trained not to click on everything that isn't away after counting up from 1 to 3, he looks at the information in the window. It says that the component comes from Adobe and has version 18.104.22.168. But more importantly, a logo and a Trusted App link with a green check mark appear. So the offered app is apparently secure. Only when the user clicks on the Trusted App link he get the Publisher Identity check notice visible in the above tweet. In the current case, this indicates RU, Saint-Petersburg, BITBITE LLC, which is considered a verified publisher. But things begun to smell …
However, the window shows the unsigned, arbitrary name from the app installer metadata, not the name of the entity for which the digitally signed app certificate was issued. Only this signature would reveal whether the app was signed for Adobe Inc. Brian in Pitsburg wrote:
The fact that the publisher name you see at first glance (unless you click on the "trusted app" details) is the unsigned, arbitrary name in the app installer metadata, rather than the name of the entity for which the certificate was issued, is simply baffling.
So is the terrible use of the "trusted app" designation for an installer that has not gone through any verification, analysis or reputation check.
Terrible security dialogs are the most frustrating aspect of Windows/Office security for me. And it's precisely because there is essentially no barrier or cost to improving it, at least to some degree. (And with more than a billion computers, such improvements matter).
Will Dormannalso picked it up in several tweets here. As one user comments: What the heck [is] Microsoft doing! How can something so basic not be noticed in at least one meeting? Let alone at the draft review or anywhere else. What a joke. Well, didn't I give you a nice surprise from Microsoft behind the second door of the Security Advent Calendar? I wonder if there will be another surprise tomorrow?
PS: Kevin Beaumont specified it in this tweet. The Emotet gang is still abusing two things: the AppX installer in Windows 10/11, which makes the whole thing look Trusted. And the http://windows.net hosting, also known as Azure File Hosting. And files hosted there are still not deleted promptly if malware is placed there. In the above case, the dangerous downloads were deleted after many hours due to an Abuse notice, as I understand it.
Emotet dropper as it's best
Addendum: The colleagues at Bleeping Computer apparently got their hands on an example and tested it through. In this article, Bleeping Computer describe the details that I left out for the sake of effort (and because I was concerned with the topic of "trusted apps" in general).Die Kollegen von Bleeping Computer haben offenbar ein Beispiel in die Finger bekommen und durchgetestet.
- The malware is downloaded from the windows.net domain ms-appinstaller:?source=*ttps://xxx.z13.web.core.windows.net / abcdefghi.appinstaller.
- AppX Installer installs a malicious DLL into the %Temp% folder and executes it with rundll32.exe.
- At the same time, the DLL is copied to %LocalAppData% with a random name.
- Then, the startup command is entered into HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
After that, the malware is executed every time the user logs in.
Cookies helps to fund this blog: Cookie settings