Threat actors were using ms-app installer URI scheme (App Installer) to distribute malware, so Microsoft disabled it. Since mid-November 2023, the company has monitored these actors and disabled the ms-appinstaller protocol handler by default. Hackers bypass security with the ms-appinstaller protocol handler, potentially distributing ransomware.
Microsoft disabled its ms-app installer URI scheme (App Installer) after threat actors used it to distribute malware. Microsoft Threat Intelligence blogged that it has been monitoring threat actors since mid-November 2023.
Microsoft said. Since mid-November 2023, Microsoft Threat Intelligence has observed financially motivated threat actors like Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674 using the ms-appinstaller URI scheme (App Installer) to distribute malware.
In addition to protecting customers from observed attacker activity, Microsoft investigated the use of App Installer in these attacks. Microsoft disabled the ms-appinstaller protocol handler by default in response to this activity.
The tech giant notes the threat actor’s exploitation of the ms-appinstaller protocol handler. This misuse allows malware to spread, including ransomware.
Cybercriminals selling a malware kit as a service that abuses the MSIX file format and ms-appinstaller protocol handler were also observed.
The company said, “Threat actors distribute signed malicious MSIX application packages via websites with malicious ads for popular software. Storm-1674 also uses Microsoft Teams phishing.
Microsoft says hackers likely chose the ms-appinstaller protocol handler vector because “it can bypass mechanisms designed to help keep users safe from malware, such as Microsoft Defender SmartScreen and built-in browser warnings for downloads of executable file formats”.Microsoft Threat Intelligence found many ransomware gangs using App Installer in mid-November.
According to the report, the activity includes spoofing legitimate applications, tricking users into installing malicious MSIX packages, and evading initial installation file detections.
Conclusion
After threat actors used ms-app installer URI scheme (App Installer) to distribute malware, Microsoft disabled it. Since mid-November 2023, the tech giant has monitored these actors’ App Installer protocol handler use. Cybercriminals sell malware kits that abuse MSIX and ms-appinstaller, according to the company. The hackers likely chose the ms-appinstaller protocol handler vector because it bypasses malware protection. Spoofing legitimate applications, tricking users into installing malicious MSIX packages, and evading initial installation file detections were observed.
