In response to the increasing threat posed by multiple malicious actors, Microsoft announced on Thursday that it is once again taking measures to disable the ms-appinstaller protocol handler by default. This decision comes in the wake of its exploitation by threat actors to facilitate the widespread distribution of malware.
The Microsoft Threat Intelligence team revealed that the observed malicious activities involve the abuse of the current implementation of the ms-appinstaller protocol handler as an access vector for malware, potentially leading to the deployment of ransomware.
Highlighting the severity of the issue, the team identified the emergence of a disturbing trend where cybercriminals are offering a malware kit as a service. This kit leverages the MSIX file format and ms-appinstaller protocol handler, with the changes taking effect in App Installer version 1.21.3421.0 or higher.
The attack methods predominantly manifest as signed malicious MSIX application packages, strategically distributed through popular channels such as Microsoft Teams or disguised as malicious advertisements for legitimate and widely-used software on search engines like Google.
Since mid-November 2023, at least four distinct financially motivated hacking groups have been detected exploiting the App Installer service. These threat actors utilize the protocol handler as an entry point for subsequent human-operated ransomware activities, demonstrating the evolving sophistication of cyber threats.
Among the notable groups, Storm-0569 employs BATLOADER through search engine optimization (SEO) poisoning, while Storm-1113 employs bogus MSIX installers masquerading as Zoom to distribute EugenLoader. Sangria Tempest (also known as Carbon Spider and FIN7) utilizes Storm-1113’s EugenLoader to drop Carbanak and relies on Google ads to distribute malicious MSIX application packages. Meanwhile, Storm-1674 utilizes fake landing pages masquerading as Microsoft OneDrive and SharePoint through Teams messages.
Notably, Microsoft emphasized that Storm-1113 operates in an “as-a-service” capacity, providing malicious installers and landing page frameworks to other threat actors, including Sangria Tempest and Storm-1674.
This proactive move by Microsoft echoes a similar action taken in February 2022 when the tech giant disabled the MSIX ms-appinstaller protocol handler to prevent the delivery of Emotet, TrickBot, and Bazaloader. The company acknowledged that threat actors likely favor this vector due to its ability to bypass security mechanisms designed to protect users from malware, such as Microsoft Defender SmartScreen and built-in browser warnings for executable file formats.