Microsoft has disabled the ms-appinstaller protocol handler by default after new evidence emerged that hackers were using it to deploy malware.
“The observed activity of threat actors is abusing the current implementation of the ms-appinstaller protocol handler as an entry vector for malware that could lead to ransomware distribution,” Microsoft said in a new release. safety advice.
Additionally, the Redmond-based giant noticed hackers selling malware kits on the dark web that use the MSIX file format and the ms-appinstaller protocol handler.
Four threat actors
Apparently, the threat actors create malicious fake advertisements for legitimate and popular software in order to redirect victims to websites under their control. There they trick them into downloading malware. A second distribution vector is phishing via Microsoft Teams, the company said.
“Threat actors likely selected the ms-appinstaller protocol handler vector because it can bypass mechanisms designed to protect users from malware, such as Microsoft Defender SmartScreen and built-in browser alerts for downloads of executable file formats,” the advisory reads.
Since mid-November this year, at least four threat actors have abused the App Installer service, Microsoft further explained, including Storm-0569, Storm-1113, Sangria Tempest (AKA FIN7), and Storm-1674. The first is an access broker that typically hands over access to Storm-0506, which then deploys the Black Basta ransomware. FIN7, which researchers also spotted earlier this week masquerading as banking software, used the App Installer service to drop Gracewire, while Storm-1674 masquerades as Microsoft OneDrive and SharePoint via Teams messages.
The handler is disabled in App Installer version 1.21.3421.0 or later.
This is not the first time that MSIX Windows app package files have been misused in malware distribution. The HackerNews say. In October 2023, Elastic Security Labs discovered that such files for Google Chrome, Microsoft Edge, Brave, Grammarly and Cisco Webex were used to distribute a malware loader called GHOSTPULSE. Furthermore, Microsoft disabled the handler once before, in February last year.