NEWS  Security  December 29, 2023  Reading time: 2 Minute(s)

Max (RS editor)

Microsoft has once again tightened its cybersecurity measures by disabling the ms-appinstaller protocol handler by default, citing the increasing misuse of this feature by multiple threat actors to distribute malware. The move comes in response to a growing trend where cybercriminals exploit the ms-appinstaller protocol handler as an access vector for malware, with a specific focus on ransomware distribution.

The Microsoft Threat Intelligence team reported that threat actors are leveraging the current implementation of the ms-appinstaller protocol handler to facilitate the distribution of malware. Particularly alarming is the emergence of a malware kit offered as a service, utilizing the MSIX file format and ms-appinstaller protocol handler. The protective changes have been implemented in App Installer version 1.21.3421.0 or higher.

According to the Microsoft Threat Intelligence team, the attacks primarily involve signed malicious MSIX application packages distributed through Microsoft Teams or deceptive advertisements for widely used software on search engines like Google. Since mid-November 2023, at least four financially motivated hacking groups have been identified exploiting the App Installer service, using it as a gateway for subsequent human-operated ransomware activities.

The identified threat actors and their tactics include:

1. Storm-0569: Initiates BATLOADER propagation through SEO poisoning, utilizing fake Zoom, Tableau, TeamViewer, and AnyDesk sites. Deploys Cobalt Strike and hands off access to Storm-0506 for Black Basta ransomware deployment.
2. Storm-1113: Utilizes bogus MSIX installers posing as Zoom to distribute EugenLoader, acting as a conduit for various stealer malware and remote access trojans.
3. Sangria Tempest (Carbon Spider and FIN7): Deploys Carbanak through Storm-1113's EugenLoader, distributing Gracewire. Alternatively, uses Google ads to trick users into downloading malicious MSIX application packages for POWERTRASH, leading to NetSupport RAT and Gracewire.
4. Storm-1674: Sends fake landing pages via Teams messages, masquerading as Microsoft OneDrive and SharePoint through the TeamsPhisher tool, distributing SectopRAT or DarkGate payloads through malicious MSIX installers.

Microsoft has identified Storm-1113 as an "as-a-service" entity, providing malicious installers and landing page frameworks mimicking well-known software to other threat actors, such as Sangria Tempest and Storm-1674. Notably, in October 2023, Elastic Security Labs detailed a campaign using spurious MSIX Windows app package files for popular applications like Google Chrome, Microsoft Edge, Brave, Grammarly, and Cisco Webex to distribute the GHOSTPULSE malware loader.

This marks the second time Microsoft has disabled the MSIX ms-appinstaller protocol handler, with the tech giant taking similar action in February 2022 to prevent the delivery of Emotet, TrickBot, and Bazaloader. 

"Threat actors have likely chosen the ms-appinstaller protocol handler vector because it can bypass mechanisms designed to help keep users safe from malware, such as Microsoft Defender SmartScreen and built-in browser warnings for downloads of executable file formats." - Microsoft Threat Intelligence Team

 COVER IMAGE: FREEPIK