Introduction:
In a recent development, Microsoft has taken decisive steps to disable the ms-appinstaller protocol handler by default due to its widespread exploitation by threat actors in the distribution of malware. The Microsoft Threat Intelligence team has observed alarming activities that leverage this protocol handler as an access vector for malware, with potential consequences leading to ransomware distribution.
The Exploited Protocol:
The ms-appinstaller protocol handler, initially designed for legitimate application installations, has become a focal point for cybercriminals. Microsoft reports that multiple threat actors have been abusing this protocol, prompting the company to implement changes in App Installer version 1.21.3421.0 or higher.
Malware Kits for Sale:
A concerning revelation is the emergence of cybercriminals offering a malware kit for sale as a service, exploiting the MSIX file format and ms-appinstaller protocol handler. This marks a significant shift in the landscape of cyber threats, posing a new level of risk to users.
Attack Vectors and Techniques:
The attacks manifest in the form of signed malicious MSIX application packages, distributed through platforms like Microsoft Teams or disguised as malicious advertisements for popular software on search engines such as Google. At least four distinct financially motivated hacking groups have been identified employing these tactics.
Storm-0569: This group utilizes SEO poisoning with fraudulent sites impersonating Zoom, Tableau, TeamViewer, and AnyDesk. It deploys BATLOADER and later hands off access to Storm-0506 for Black Basta ransomware deployment.
Storm-1113: Operating as an initial access broker, this group distributes EugenLoader disguised as Zoom, acting as a conduit for various stealer malware and remote access trojans.
Sangria Tempest (Carbon Spider and FIN7): Leveraging Storm-1113's EugenLoader, this group drops Carbanak and Gracewire implants. Alternatively, it employs Google ads to trick users into downloading malicious MSIX packages for distributing POWERTRASH, leading to NetSupport RAT and Gracewire deployment.
Storm-1674: This entity uses fake landing pages through Teams messages, impersonating Microsoft OneDrive and SharePoint. Through TeamsPhisher, recipients are urged to open PDF files that trigger the download of malicious MSIX installers containing SectopRAT or DarkGate payloads.
Historical Precedent:
This is not the first time Microsoft has taken action against the MSIX ms-appinstaller protocol handler. In February 2022, a similar measure was implemented to prevent threat actors from delivering Emotet, TrickBot, and Bazaloader.
Conclusion:
The disabling of the ms-appinstaller protocol handler is a critical response by Microsoft to curb the escalating threat landscape. As threat actors continually evolve their tactics, the tech giant remains vigilant in safeguarding users against potential malware attacks. Users are urged to stay informed about these developments and ensure their systems are updated with the latest security measures to mitigate risks associated with malicious exploits.
0 Comments