Microsoft has once again turned off the MSIX MS-app installer. This decision from Microsoft has come lately when multiple threat organizations began using it. The threat actors were using the MS-app installer protocol to infect Windows systems with malware.
To bypass security measures that would normally shield Windows users from malware, the attackers took advantage of the Windows AppX Installer spoofing vulnerability (CVE-2021-43890). Components like the Defender SmartScreen anti-phishing and anti-malware component and built-in browser alerts warn users against downloading these .exe files.
In-depth About MS-app Installer Protocol
Microsoft investigated the misuse of the App Installer by the threat actors. In response to these attacks, the tech giant has now turned off the MS-app installer protocol handler by default for its users.
Explaining the exploitation of App Installer, Microsoft said, “Since mid-November 2023, Microsoft Threat Intelligence has observed threat actors, including financially motivated actors like Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674, utilizing the ms-app installer URI (Uniform Resource Identifier) scheme (protocol) to distribute malware”.
The financially motivated hacking group Sangria Tempest (also known as FIN7) has previously been connected to the REvil and Maze ransomware. These groups are known for their involvement in the now-defunct BlackMatter and DarkSide ransomware operations.
The MS-app installer protocol handler was being abused by threat actors, who exploited it as a means of distributing ransomware through an access vector. Additionally, many fraudsters are offering a malware kit for sale that exploits the MSIX file format and the MS-app installer protocol handler.
Propagation of Malicious Files
MSIX application packages serve as a disguise for the malicious files. These packages are signed and distributed through Microsoft Teams or as malicious search engine advertisements on Google and other major search engines.
In similar instances in December 2021, Emotet hacker group deployed malicious Windows AppX Installer packages. These packages appeared as Adobe PDF applications to stealthily infiltrate Windows 10 and Windows 11 systems.
Additionally, malicious packages stored on Microsoft Azure utilizing *.web.core.windows.net URLs were used to spread the BazarLoader malware. This particular operation took advantage of the AppX Installer spoofing vulnerability.
In an effort to stop Emotet’s assault, Microsoft had previously deactivated the MS-app installer protocol handler in February 2022. Microsoft center in Redmond also disabled the MS-app installer protocol handler earlier this month because victims of these assaults may also be the subject of ransomware.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
