Microsoft has patched a high severity Windows zero-day vulnerability exploited in the wild to deliver Emotet malware payloads.

The bug, a Windows AppX Installer spoofing security flaw tracked as CVE-2021-43890, can be exploited remotely by threat actors with low user privileges in high complexity attacks requiring user interaction.

"We have investigated reports of a spoofing vulnerability in AppX installer that affects Microsoft Windows. Microsoft is aware of attacks that attempt to exploit this vulnerability by using specially crafted packages that include the malware family known as Emotet/Trickbot/Bazaloader," Microsoft explains.

"An attacker could craft a malicious attachment to be used in phishing campaigns. The attacker would then have to convince the user to open the specially crafted attachment.

"Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."

How to block attacks

To block exploitation attempts, Windows users have to install the patched Microsoft Desktop Installer for their platform:

Microsoft also provides mitigation measures for customers who can't immediately install the Microsoft Desktop Installer updates.

Mitigation recommended by Redmonds includes enabling BlockNonAdminUserInstall to prevent non-admins from installing Windows App packages and AllowAllTrustedAppToInstall to block app installs from outside the Microsoft Store.

Additional information is available in the workarounds section of the CVE-2021-4389 security advisory.

Emotet pushes fake Adobe Windows App Installers

BleepingComputer previously reported that Emotet began spreading using malicious Windows App Installer packages camouflaged as Adobe PDF software.

While Microsoft did not directly link the CVE-2021-4389 zero-day to this campaign, the details Redmond shared in today's advisory line up with tactics used in recent Emotet attacks.

As we reported on December 1, the Emotet gang started infecting Windows 10 systems by installing malicious packages using the App Installer built-in feature (or, as Microsoft calls it, AppX Installer).

More information, including the way Emotet abused the Windows App Installer in this campaign, can be found in our previous report.

App Installer prompting to install the Fake Adobe PDF ComponentApp Installer prompting to install the Fake Adobe PDF Component (BleepingComputer)

The same tactic was used previously to distribute the BazarLoader malware by deploying malicious packages hosted on Microsoft Azure.

Emotet was the most distributed malware until a law enforcement operation shut down and seized the botnet's infrastructure in January. Ten months later, in November, Emotet was resurrected, and it started rebuilding with the help of the TrickBot gang.

One day after its comeback, Emotet spam campaigns started again with phishing emails using various lures and malicious documents designed to deploy the malware on victims' systems.