In response to the rising threat of malware attacks, the Microsoft Project team took swift action by disabling the widely abused ms-appinstaller protocol handler. This strategic move is part of Microsoft's efforts to leverage its cyber threat intelligence tools to counter the alarming exploitation of this protocol by multiple threat actors intent on distributing malware. Ransomware attacks loom as a major risk.
Hazard detection
Leveraging advanced cyber threat intelligence tools, the Microsoft Threat Intelligence team detected an exploit of the ms-appinstaller protocol handler as an access vector for malware distribution. As a result, the company decided to disable the protocol handler by default. The company aims to protect users from potential risks associated with malicious activities.
Malware Microsoft Project: Kit for sale
The threat is further exacerbated by cybercriminals selling a range of malware as a service, leveraging the MSIX file format and ms-appinstaller protocol handler. To address this emerging threat, Microsoft has implemented changes in App Installer version 1.21.3421.0 and later, a testament to the value of effective threat intelligence feeds.
Attack method
The attacks, organized by at least four financially motivated hacking groups, involve publishing signed malicious MSIX application packages. Fraudsters deceptively distribute these packages through trusted channels such as Microsoft Teams. They also disguise them as advertisements for legitimate software on search engines like Google.
Diverse threat actors at work
Several hacking groups have been identified exploiting the App Installer service since mid-November 2023. Each uses distinct tactics and underscores the need for robust threat intelligence feeds:
- Storm-0569: SEO poisoning with spoofed sites is used to spread BATLOADER, spreading Cobalt Strike and Black Basta ransomware.
- Storm-1113: Distributes EugenLoader disguised as Zoom, serving as an entry point for various data-stealing malware and remotely accessible Trojans.
- Sangria Tempest (Carbon Spider and FIN7): Utilize Storm-1113's EugenLoader to drop Carbanak and distribute POWERTRASH through Google Ads.
- The Storm-1674: Sends fake landing pages via Teams messages. It also encourages users to download malicious MSIX installers that contain SectopRAT or DarkGate payloads.
Microsoft: Ongoing threats and past actions
This is not the first time Microsoft has disabled the MSIX ms-appinstaller protocol handler. In February 2022, the company also took a similar step to abort the delivery of Emotet, TrickBot, and Bazaloader. The attractiveness of the protocol to threat actors lies in its ability to circumvent security mechanisms. However, this poses a major challenge to user safety.
While Microsoft lists its past actions and remains vigilant in combating evolving cybersecurity threats, it urges users to stay informed and use best practices to strengthen their digital security. This includes regular updates, being careful with downloads, and staying on top of emerging threats in the ever-evolving cybersecurity landscape, highlighting the importance of cyber threat intelligence tools.
