Microsoft has disabled the App Installer feature to protect users and prevent threat actors from maliciously exploiting its products and features.
The ms-appinstaller URI scheme, which allows users to download and install apps directly from websites using the MSIX package installer, is being abused in malicious activities, reports Microsoft Threat Intelligence.
Researchers found that ‘financially motivated’ threat actors use the ms-appinstaller URI scheme for malware distribution, prompting Microsoft to disable the protocol handler by default.
For your information, the ms-appinstaller URI scheme lets websites skip the download-and-install step, directly installing apps with seamless convenience.
However, the Microsoft Security Response Center (MSRC) found that cyber criminals were abusing the feature through “social engineering and phishing techniques” to get people to download malicious apps via this protocol.
Reportedly, it is used as an access vector for malware, potentially leading to ransomware distribution. Cybercriminals are selling a malware kit that exploits the MSIX file format and handler. They distribute signed malicious packages through websites and malicious advertisements for popular software.
The threat actors likely chose this vector because it can bypass security measures like Microsoft Defender SmartScreen and browser warnings when downloading executables. The extent of this activity remains unknown. However, multiple threat actors are abusing this feature.
This vector is likely chosen because it can bypass security measures like Microsoft Defender SmartScreen and browser warnings when downloading executables. The extent of this activity remains unknown. However, multiple threat actors are abusing this feature.
According to Mircosoft’s blog post, in mid-November, Microsoft detected Storm-1113’s EugenLoader malware delivered through search advertisements mimicking the Zoom app. When someone accesses a compromised website, a malicious MSIX installer is downloaded along with additional payloads, including malware like Gozi, Redline stealer, IcedID, Smoke Loader, NetSupport Manager, Sectop RAT, and Lumma stealer.
The same month, the cybercriminal group Sangria Tempest used EugenLoader and Carbanak backdoors to deliver malware implants. It also used Google ads to lure users into downloading malicious MSIX packages, leading to the delivery of POWERTRASH, which loads NetSupport and Gracewire, typically associated with Lace Tempest.
In early December, Storm-0569 was observed distributing BATLOADER through SEO poisoning, spoofing legitimate software downloads like Zoom, Tableau, TeamViewer, and AnyDesk.
Around the same time, Storm-1674 delivered fake landing pages through messages on Teams, spoofing Microsoft services like OneDrive and SharePoint. Tenants created by the threat actor lure users into downloading spoofed applications, likely dropping SectopRAT or DarkGate.
The MSRC has released an “important” security update for CVE-2021-43890, which disables the ms-appinstaller URI scheme handler in App Installer build 1.21.3421.0. This means users cannot download and install apps from websites using this protocol.
Instead, the MSIX package is downloaded to a storage device, and users must manually install the app. Microsoft will continue to monitor malicious activity and advises against downloading or installing apps from unknown websites.
To reduce the threat, Microsoft recommends implementing phishing-resistant authentication methods for users, Conditional Access authentication strength for employees and external users for critical apps, and educating Microsoft Teams users to verify external tagging on communication attempts.
RELATED ARTICLES
- Microsoft signed a driver called Netfilter, it contained malware
- Microsoft Azure Exploited to Create Undetectable Cryptominer
- Microsoft-Signed Drivers Helped Hackers Breach System Defenses
- Microsoft Defender Flags Tor Browser as Win32/Malgent!MTB Malware
- Microsoft: Chinese Hackers Stole Signing Key to Breach Outlook Accounts