Social Engineering with Universal Windows Platform (APPX) Software

    The picture shows various devices (PCs, smartphones, IoT, Xbox, Surface Hub, Hololens) that support Universal Windows Platform applications

    TL; DR : You can pack a regular .exe file into the Universal Windows Platform .appx file that will run on Windows 10 (build 1607 and newer) in much the same way as regular .exe files. This can be used for social engineering attacks, via email distribution - email providers do not block APPX files. The file must be signed with a valid digital signature.

    Universal windows platform

    Universal Windows Platform - (comparatively) a new standard for creating universal applications for Windows 10, Windows 10 Mobile, Xbox One and Hololens. The standard appeared with the release of Windows 10, and provides an API with privilege restriction and isolation, the format of the container and metadata inside it.
    UWP applications are widely represented in the Microsoft Store. They are self-sufficient, safe, do not require administrator rights to install, store settings in strictly designated places, and can be removed completely, right from the "start".

    UWP is an attempt by Microsoft to get rid of old architectural approaches to program development: to implement privilege separation as it is done on mobile platforms, to get away from the WinAPI GUI with a pixel grid (for full support for screens of any pixel density).
    UWP programs can be written in C #, C ++, VB, and JS, and XAML, DirectX, and HTML are suggested as GUI frameworks.

    Until recently, UWP programs could only be isolated, but in the assembly of Windows 10 1607 Microsoft implemented the Desktop Bridge - the ability to pack any Win32 programs as UWP, without using the UWP API, privilege restrictions and isolation.
    This feature opens up scope for social engineering attacks.

    APPX format

    UWP standardizes the APPX file format - a regular ZIP archive with a specific structure. The APPX file must contain AppxManifest.xml - a file with a description of the contents of the package, which you can generate or create yourself.
    AppxManifest.xml contains the program name, description, icon, required privileges, the name of the file to run, and the entry point inside it.
    In order for the APPX file to be installed, it must be signed with a valid digital signature with the possibility of signing a code trusted by the notifying center.

    Example AppxManifest.xml file with isolation disabled
    testtesttestlogo.png

    The easiest way to package an existing Win32 exe file in appx using the Desktop Bridge is to write the manifest file manually and create the appx container using the makeappx.exe utility included in the Windows SDK.
    makeappx.exe pack /d input_directory /p output.appx

    Then sign with signtool.exe:
    signtool.exe sign /f "mycert.pfx" /p "123456" /fd sha256 /tr http://timestamp.comodoca.com/?td=sha256 /td sha256 output.appx


    APPX Benefits for Social Engineering

    APPX files can be used in mailing lists, as a replacement for exe files, in cases where the mail server filters messages with exe attachments.
    APPX installation takes place in one click, does not require administrator rights. In the installer, the checkmark for starting the program after installation is checked by default, and the program will start immediately if the user does not remove it.



    All popular email services do not block APPX files in email attachments.
    Gmail has a strange feature: the file must be larger than 4 megabytes.

    Delivery of APPX files via Yandex, Mail.ru and GMail mail

    Summary

    Benefits of APPX Desktop Bridge for virus distribution:
    • You can use "as an exe file"
    • Does not impose isolation or privilege restrictions
    • Installs and runs in one click
    • Not filtered by mail servers

    Disadvantages :
    • Requires a certificate to sign a code
    • Only works on Windows 10 1609 and later.


    References

    Example APPX Desktop Bridge file (with a self-signed certificate)
    APPX Packaging
    Instructions Manual How to Create a Manifest File
    Information about Desktop Bridge

    Also popular now: