Microsoft said Thursday that it will once again disable the ms-appinstaller protocol handler by default after multiple threat actors abused it to spread malware.
Microsoft’s Threat Intelligence Team said: “Observed threat actor activity abused the current implementation of the ms-appinstaller protocol handler as an access vector for malware that could lead to ransomware distribution.”
It also noted that some cybercriminals are offering malware toolkits for sale as a service that exploit the MSIX file format and the ms-appinstaller protocol handler. These changes have taken effect in application installer version 1.21.3421.0 or later.
These attacks take the form of signed malicious MSIX application suites that are distributed via Microsoft Teams or malvertising for legitimate popular software on search engines such as Google.
From user to administrator: Learn how hackers gain total control
Learn the secret tactics hackers use to become administrators and how to detect and stop it before it’s too late. Register now for our webinar.
Join now
Since mid-November 2023, at least four different financially motivated hacker groups have been observed exploiting application installer services, using them as entry points for subsequent human-operated ransomware campaigns –
- Storm-0569an initial access agent that spreads BATLOADER by deceiving Zoom, Tableau, TeamViewer, and AnyDesk websites into search engine optimization (SEO) poisoning, and uses the malware to deliver Cobalt Strike and hand over access to Storm-0506, to deploy the Black Basta ransomware.
- storm-1113an initial access agent that uses a fake MSIX installer disguised as Zoom to distribute EugenLoader (aka FakeBat), which acts as a conduit for various stealing malware and remote access Trojans.
- sangria storm (also known as Carbon Spider and FIN7), which uses Storm-1113’s EugenLoader to deliver Carbanak, which in turn delivers an implant called Gracewire. In addition, the group also relies on Google ads to lure users to download a malicious MSIX application suite from a rogue landing page to distribute POWERTRASH, which is then used to load NetSupport RAT and Gracewire.
- Storm-1674an initial access agent that uses the TeamsPhisher tool to send fake login pages disguised as Microsoft OneDrive and SharePoint through Teams messages, urging recipients to open PDF files. After clicking on these files, they will be prompted to update Adobe Acrobat Reader to download a malicious MSIX installer containing a SectopRAT or DarkGate payload.
Microsoft describes Storm-1113 as an entity that is also involved in “as a service”, providing malicious installers and landing page frameworks that mimic well-known software to other threat actors, such as Sangria Tempest and Storm-1674.
In October 2023, Elastic Security Labs detailed another campaign in which fake MSIX Windows application suite files for Google Chrome, Microsoft Edge, Brave, Grammarly, and Cisco Webex were used to distribute a malware loader named GHOSTPULSE.
This is not the first time Microsoft has disabled the MSIX ms-appinstaller protocol handler in Windows. In February 2022, the tech giant took the same step to prevent threat actors from weaponizing it to spread Emotet, TrickBot, and Bazaloader.
“Threat actors may have selected the ms-appinstaller protocol handler vector because it can bypass mechanisms designed to help protect users from malware, such as Microsoft Defender SmartScreen and built-in browsers that download executable formats,” Microsoft said. warn.”
