After many virus attacks, Microsoft disables one of its own software products.

After many virus attacks, Microsoft disables one of its own software products.

After many virus attacks, Microsoft disables one of its own software products.

Microsoft discovered further evidence of hackers utilizing the ms-appinstaller protocol handler to spread malware, so it blocked it by default.

"The observed threat actor activity abuses the current implementation of the ms-appinstaller protocol handler as an access vector for malware that may lead to ransomware distribution," Microsoft stated in a recent security bulletin.

Furthermore, the massive Redmond company observed hackers hawking malware kits on the dark web that utilize the ms-appinstaller protocol handler and the MSIX file format.

Four actors that pose a threat

It appears that threat actors are fabricating dangerous phony advertisements for well-known and reputable applications in order to sway people to websites that they own. They deceive people into downloading malware there. According to the company, phishing via Microsoft Teams is a second dissemination route.
According to the advice, "the ms-appinstaller protocol handler vector has probably been selected by threat actors because it can evade defenses against malware, like Microsoft Defender SmartScreen and integrated browser alerts for downloading executable file formats."
Microsoft went on to say that since mid-November of this year, at least four threat actors—Storm-0569, Storm-1113, Sangria Tempest (also known as FIN7), and Storm-1674—have exploited the App Installer service. The former serves as an access broker and typically transfers access to Storm-0506, which proceeds to install the ransomware Black Basta. Gracewire was dropped by FIN7, which researchers had also seen posing as banking software earlier this week. Meanwhile, Storm-1674 masquerades as Microsoft OneDrive and SharePoint through Teams messaging. 
With the App Installer version 1.21.3421.0 or higher, the handler is deactivated.
According to TheHackerNews, this is not the first instance of MSIX Windows app package files being misused for malware dissemination. Elastic Security Labs discovered in October 2023 that these files for Microsoft Edge, Brave, Grammarly, Google Chrome, and Cisco Webex were being used to spread a malware loader known as GHOSTPULSE. Furthermore, Microsoft previously turned off the handler in February of last year.

Share this Post


Leave a comment