In response to the escalating threat of malware attacks, the Microsoft Project team has swiftly taken action by disabling the widely abused ms-appinstaller protocol handler. This strategic move is part of Microsoft’s efforts to utilize its cyber threat intelligence tools to counter the alarming exploitation of this protocol by multiple threat actors intent on distributing malware. Ransomware attacks are looming as a significant risk.
Unveiling the Menace
The Microsoft Threat Intelligence team, leveraging advanced cyber threat intelligence tools, uncovered the exploitation of the ms-appinstaller protocol handler as an access vector for malware distribution. As a result, the company decided to disable the protocol handler by default. The company aims to protect users from potential dangers associated with malicious activities.
Malware Microsoft Project: Kit for Sale
Compounding the threat, cybercriminals are actively selling a malware kit as a service, leveraging the MSIX file format and the ms-appinstaller protocol handler. To address this emerging threat, Microsoft implemented changes in the App Installer version 1.21.3421.0 and higher, a testament to the value of effective threat intelligence feeds.
Method of Attack
The attacks orchestrated by at least four financially motivated hacking groups involve the deployment of signed malicious MSIX application packages. The scammers deceptively distribute these packages through trusted channels like Microsoft Teams. They also disguise them as advertisements for legitimate software on search engines like Google.
Diverse Threat Actors in Action
Several hacking groups have been identified exploiting the App Installer service since mid-November 2023. Each employs distinct tactics and underscores the need for robust threat intelligence feeds:
- Storm-0569: Uses SEO poisoning with spoofed sites to propagate BATLOADER, deploying Cobalt Strike and Black Basta ransomware.
- Storm-1113: Distributes EugenLoader disguised as Zoom, serving as an entry point for various stealer malware and remote access trojans.
- Sangria Tempest (Carbon Spider and FIN7): Leverages Storm-1113’s EugenLoader to drop Carbanak and distribute POWERTRASH through Google ads.
- Storm-1674: Sends fake landing pages through Teams messages. It also encourages users to download malicious MSIX installers containing SectopRAT or DarkGate payloads.
Microsoft: Persistent Threats and Past Actions
This isn’t the first time Microsoft has disabled the MSIX ms-appinstaller protocol handler. In February 2022, the company has also taken a similar step to thwart Emotet, TrickBot, and Bazaloader delivery. The protocol’s attractiveness to threat actors lies in its ability to circumvent security mechanisms. However, that poses a significant challenge for user safety.
As Microsoft lists its past actions and remains vigilant in combating evolving cybersecurity threats, it urges users to stay informed and employ best practices to enhance their digital security. This includes regular updates, exercising caution with downloads, and staying informed about emerging threats in the ever-evolving landscape of online security, highlighting the importance of cyber threat intelligence tools.