Pain in the Appx

Presented at Kernelcon 2022, April 2, 2022, 2 p.m. (60 minutes).

Windows application package files (.APPX) are the installation system used to install Universal Windows Platform apps. Similar to other installer types, such as MSI files, APPX files are created to provide the simple distribution and installation of software . However, these have recently been abused by what we track as an emerging and financially motivated cybercriminal group distributing BazaarLoader/Emotet malware. In this presentation, we will show how we identified and tracked this activity, take a dive into malware analysis of the observed campaigns, discuss the infection chain, and explain how this led to the ms-appinstaller HTML protocol handler being removed. We will finish by exploring network and file based detection opportunities for defenders.

Presenters:

• Nick Beede
  Nick is a UNO alum and founding member of NULLify that now works at Microsoft with Jack and enjoys spotting and stomping threat actors.
• Jack Mott
  Jack is a Senior Security Analyst who enjoys punching miscreants and having fun while doing it.

Similar Presentations:

• Objective by the Sea version 4.0 (2021) / The Wild World of macOS Installers
• VB2017 / A new technique for detecting and blocking the installation of a malicious software based on the reputation of loadpoint n-grams