MSIX App Installer Disabled Amid Microsoft Malware Attacks
In a recent announcement, Microsoft disclosed its decision to once again disable the ms-appinstaller protocol handler by default amid the Microsoft malware attacks. They took a proactive stance against its exploitation by various threat actors for malware distribution.
This move comes in response to the ongoing abuse of the Windows AppX Installer spoofing vulnerability, identified as CVE-2021-43890, which was first documented by Microsoft a couple of years ago. It has led to an increased emphasis on enhancing MSIX security measures.
In this blog post, we’ll have a look at the recent developments surrounding Microsoft malware attacks, specifically focusing on how the MSIX App Installer has been disabled to enhance security measures and keep users protected.
Background On The Microsoft Malware Attacks
The vulnerability, documented by Microsoft a couple of years ago, had previously been exploited by attackers crafting packages containing ransomware. Back then, Microsoft security measures included recommending users either update to the latest Installer version or disable the ms-appinstaller protocol using Group Policy. However, a resurgence in the exploitation of these app installer vulnerabilities has prompted Microsoft to issue new guidance.
Threat Actor Activity
The Microsoft Threat Intelligence team has observed threat actors abusing the current implementation of the ms-appinstaller protocol handler as an access vector for malware. This has particularly led to ransomware distribution, emphasizing the critical need for secure software installation practices to mitigate such risks and fortify overall system security.
Notably, cybercriminals are offering a malware kit as a service, leveraging the MSIX file format and ms-appinstaller protocol handler for their illicit activities. These changes have been implemented in App Installer version 1.21.3421.0 or higher.
Microsoft Malware Attacks – The Methods
Several financially motivated hacking groups have been identified exploiting the App Installer service since mid-November 2023. The attacks involve signed malicious MSIX application packages distributed through Microsoft Teams or deceptive advertisements on popular search engines.
These attacks have been attributed to groups such as Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674, each employing unique tactics for infiltration and subsequent ransomware activities.
Storm-0569
- Acts as an initial access broker.
- Propagates BATLOADER through SEO poisoning.
- Deploys Cobalt Strike and facilitates Black Basta ransomware deployment.
Storm-1113
- Functions as an initial access broker.
- Utilizes bogus MSIX installers masquerading as Zoom to distribute EugenLoader.
- Acts as a conduit for various stealer malware and remote access trojans.
Sangria Tempest (Carbon Spider and FIN7)
- Uses EugenLoader from Storm-1113 to drop Carbanak.
- Relies on Google ads to distribute malicious MSIX application packages and POWERTRASH.
Storm-1674
- Operates as an initial access broker.
- Sends landing pages masquerading as Microsoft OneDrive and SharePoint through Teams messages.
- Uses TeamsPhisher tool to distribute a malicious MSIX installer containing SectopRAT or DarkGate payloads.
Previous Incidents
This isn’t the first time Microsoft has disabled the MSIX ms-appinstaller protocol handler. In February 2022, similar steps were taken to prevent threat actors from delivering Emotet, TrickBot, and Bazaloader using this vector. Implementing robust cybersecurity strategies is crucial for effective malware attacks prevention within any digital infrastructure.
Reason for Exploitation
Threat actors are drawn to the ms-appinstaller protocol handler vector due to its ability to bypass safety mechanisms designed to protect users from malware. This includes circumventing Microsoft Defender SmartScreen and built-in browser warnings for executable file downloads. Hence, regularly applying Windows security updates is imperative to ensure the ongoing protection and resilience of your operating system against evolving cyber threats.
Conclusion
In conclusion, Microsoft’s decision to disable the ms-appinstaller protocol handler by default underscores the seriousness of the ongoing threat posed by malicious actors. The significance of MSIX security emerges as a pivotal aspect in maintaining a resilient and safeguarded software ecosystem.
Users are strongly advised to update to the latest App Installer version to ensure the implementation of enhanced security measures, contributing to robust cyber threat mitigation and safeguarding their systems against evolving risks.
As the cybersecurity landscape continues to evolve, staying vigilant and adopting cybersecurity best practices remains crucial in safeguarding against emerging threats. Malicious software prevention is a top priority in our cybersecurity measures as we strive to safeguard our systems against potential threats.
Stay safe!
The sources for this piece include articles in The Hacker News and Bleeping Computer.