Cookie Consent by Free Privacy Policy Generator Microsoft Disables MS-AppInstaller Protocol Handler to Thwart Rising Malware Threats | Review Space



Cover Image

Microsoft Disables MS-AppInstaller Protocol Handler to Thwart Rising Malware Threats

Tech Giant Takes Swift Action to Safeguard Users Against Exploitation by Cybercriminals

NEWS  Security  December 29, 2023  Reading time: 2 Minute(s)

mdo Max (RS editor)


Microsoft has once again tightened its cybersecurity measures by disabling the ms-appinstaller protocol handler by default, citing the increasing misuse of this feature by multiple threat actors to distribute malware. The move comes in response to a growing trend where cybercriminals exploit the ms-appinstaller protocol handler as an access vector for malware, with a specific focus on ransomware distribution.

The Microsoft Threat Intelligence team reported that threat actors are leveraging the current implementation of the ms-appinstaller protocol handler to facilitate the distribution of malware. Particularly alarming is the emergence of a malware kit offered as a service, utilizing the MSIX file format and ms-appinstaller protocol handler. The protective changes have been implemented in App Installer version 1.21.3421.0 or higher.

According to the Microsoft Threat Intelligence team, the attacks primarily involve signed malicious MSIX application packages distributed through Microsoft Teams or deceptive advertisements for widely used software on search engines like Google. Since mid-November 2023, at least four financially motivated hacking groups have been identified exploiting the App Installer service, using it as a gateway for subsequent human-operated ransomware activities.

The identified threat actors and their tactics include:

  1. Storm-0569: Initiates BATLOADER propagation through SEO poisoning, utilizing fake Zoom, Tableau, TeamViewer, and AnyDesk sites. Deploys Cobalt Strike and hands off access to Storm-0506 for Black Basta ransomware deployment.
  2. Storm-1113: Utilizes bogus MSIX installers posing as Zoom to distribute EugenLoader, acting as a conduit for various stealer malware and remote access trojans.
  3. Sangria Tempest (Carbon Spider and FIN7): Deploys Carbanak through Storm-1113's EugenLoader, distributing Gracewire. Alternatively, uses Google ads to trick users into downloading malicious MSIX application packages for POWERTRASH, leading to NetSupport RAT and Gracewire.
  4. Storm-1674: Sends fake landing pages via Teams messages, masquerading as Microsoft OneDrive and SharePoint through the TeamsPhisher tool, distributing SectopRAT or DarkGate payloads through malicious MSIX installers.

Microsoft has identified Storm-1113 as an "as-a-service" entity, providing malicious installers and landing page frameworks mimicking well-known software to other threat actors, such as Sangria Tempest and Storm-1674. Notably, in October 2023, Elastic Security Labs detailed a campaign using spurious MSIX Windows app package files for popular applications like Google Chrome, Microsoft Edge, Brave, Grammarly, and Cisco Webex to distribute the GHOSTPULSE malware loader.

This marks the second time Microsoft has disabled the MSIX ms-appinstaller protocol handler, with the tech giant taking similar action in February 2022 to prevent the delivery of Emotet, TrickBot, and Bazaloader. 

"Threat actors have likely chosen the ms-appinstaller protocol handler vector because it can bypass mechanisms designed to help keep users safe from malware, such as Microsoft Defender SmartScreen and built-in browser warnings for downloads of executable file formats." - Microsoft Threat Intelligence Team

 COVER IMAGE: FREEPIK 

SHARE THIS ARTICLE



 COMMENTS


Deprecated: Implicit conversion from float 36.5 to int loses precision in /web/htdocs/www.reviewspace.info/home/bl-plugins/snicker/includes/Gregwar/Captcha/CaptchaBuilder.php on line 343 Deprecated: Implicit conversion from float 25.5 to int loses precision in /web/htdocs/www.reviewspace.info/home/bl-plugins/snicker/includes/Gregwar/Captcha/CaptchaBuilder.php on line 343 Deprecated: Implicit conversion from float 46.5 to int loses precision in /web/htdocs/www.reviewspace.info/home/bl-plugins/snicker/includes/Gregwar/Captcha/CaptchaBuilder.php on line 343 Deprecated: Implicit conversion from float 30.5 to int loses precision in /web/htdocs/www.reviewspace.info/home/bl-plugins/snicker/includes/Gregwar/Captcha/CaptchaBuilder.php on line 343 Deprecated: Implicit conversion from float 66.5 to int loses precision in /web/htdocs/www.reviewspace.info/home/bl-plugins/snicker/includes/Gregwar/Captcha/CaptchaBuilder.php on line 343 Deprecated: Implicit conversion from float 28.5 to int loses precision in /web/htdocs/www.reviewspace.info/home/bl-plugins/snicker/includes/Gregwar/Captcha/CaptchaBuilder.php on line 343 Deprecated: Implicit conversion from float 87.5 to int loses precision in /web/htdocs/www.reviewspace.info/home/bl-plugins/snicker/includes/Gregwar/Captcha/CaptchaBuilder.php on line 343 Deprecated: Implicit conversion from float 24.5 to int loses precision in /web/htdocs/www.reviewspace.info/home/bl-plugins/snicker/includes/Gregwar/Captcha/CaptchaBuilder.php on line 343 Deprecated: Implicit conversion from float 106.5 to int loses precision in /web/htdocs/www.reviewspace.info/home/bl-plugins/snicker/includes/Gregwar/Captcha/CaptchaBuilder.php on line 343 Deprecated: Implicit conversion from float 24.5 to int loses precision in /web/htdocs/www.reviewspace.info/home/bl-plugins/snicker/includes/Gregwar/Captcha/CaptchaBuilder.php on line 343
Currently there are no comments, so be the first!

*Our pages may contain affiliate links. If you buy something via one of our affiliate links, Review Space may earn a commission. Thanks for your support!
spacer

SPONSORED



SPONSORED


CATEGORIES



banner

Buy Me a Coffee at ko-fi.com