Microsoft Turns Off a Significant Windows App Install Mechanism Known for Spreading Malware

Disabled MSIX ms-appinstaller Protocol handler

Microsoft Disabled a Feature “MSIX App Installer Protocol”

This mechanism is intended to simplify installing Windows apps after cybercriminals started using it to spread malware loaders that resulted in ransomware and backdoor outbreaks.

The feature in question is called the ms-appinstaller consistent resource identifier plan, and its initial purpose was to make deploying Windows programs to devices simpler.

Microsoft’s security team revealed in a blog post in mid-November 2023, that innovative criminal hackers have been utilizing the tool to distribute loader malware.

According to them, attackers have been spreading signed, malicious MSIX application packages created to take advantage of the vulnerability by employing phishing emails for Microsoft Teams and fraudulent adverts for widely recognized applications.

Microsoft launched several types of technologies that aim to make installing new software on Windows computers easier. App Installer, an application setup tool integrated into the operating system, is one of those technologies. It facilitates users’ downloads of applications kept in the prevalent MSIX file format.

Developers can install packed Microsoft Store apps in MSIX format from the web using the App Installer; this method, which avoids the Store, was once referred to as “side-loading.”

However, considering this incident, it’s questionable if Microsoft can ever assure users that packages of software downloaded from elsewhere in its Store are secure. As Microsoft explains, the attackers who hacked the App Installer protocol managed to mimic legitimate software installations while making them look exactly like the actual thing.

“In response to this activity, Microsoft has disabled the ms-appinstaller protocol handler by default,” according to the researchers.

Categories of Activities:

According to Microsoft’s security professionals, the loader malware is installed on an endpoint by every attack against the ms-app installer that has been found to aid further infections. It has been analyzing the following categories of activity:

The attacks started in the middle of November 2023. Microsoft identified that four financially driven threat actors—Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674—were responsible for carrying them out.

Activity 1:

Search engine advertisements were utilized by Storm-1113 and Sangria Tempest, two cybercrime criminal groups, to disseminate their malware. After clicking on the advertisements, users were asked to download malicious MSIX files that pretended to be legitimate applications.

Activity 2:

Microsoft suspects that Sangria Tempest possibly utilized Storm-1113’s infrastructure to facilitate its hacking activities. Sangria Tempest exploited the malicious advertising to conduct extortion and ransomware attacks.

Activity 3:

Storm-0569, another criminal actor, distributed malware through fraudulent websites. Those websites were intended to show up in search results for genuine business applications on Google and Bing.

Activity 4:

Microsoft argues that the malware used by the hackers was disguising itself as programs from commercial operations software companies including Salesforce Inc., Zoom Communications, Inc., and Tableau.

Activity 5:

The organization identified that the fourth threat actor was using Microsoft Teams communications to spread malware. The links in the emails led to websites that imitated the landing pages of popular apps like SharePoint, OneDrive, and more. The websites tried to deceive customers into installing dangerous MSIX applications.

It is no longer possible for administrators of Windows to directly install Windows programs from a server onto an endpoint since Microsoft removed the ms-app installer protocol handler. Admins must instead download a software package to the endpoint and launch its installation after that.

Despite Microsoft’s first announcement on Thursday that it had turned off the protocol handler by default, the move most likely happened earlier this month, according to complaints from frustrated users who stated it caused “a massive effect on enterprise use.”

Certera Code Sign CTA
Janki Mehta

Janki Mehta

Janki Mehta is a Cyber-Security Enthusiast who constantly updates herself with new advancements in the Web/Cyber Security niche. Along with theoretical knowledge, she also implements her practical expertise in day-to-day tasks and helps others to protect themselves from threats.

Leave a comment

Your email address will not be published. Required fields are marked *